When a Medicare.gov account is created without your permission, the risk is not only that someone opened an online profile. It can mean your Medicare Beneficiary Identifier (MBI) and other personal details were used to reach claims information, plan details, or mailing data that should stay private. The fastest recovery comes from treating the problem as three related tracks: the account itself, the Medicare number behind it, and any identity misuse that could spill into other systems.
On June 30, 2025, CMS said about 103,000 beneficiaries may have been impacted after bad actors used valid beneficiary information to fraudulently create Medicare.gov accounts. CMS also said current Medicare benefits and coverage were not affected, but affected beneficiaries could receive new Medicare cards and new MBIs. That distinction matters. Losing control of the account is serious, but it is not the same as losing coverage. It means you need a controlled response, not panic.
Key idea: an unauthorized Medicare.gov account is both an account-access problem and a medical-identity problem. Handle both, in that order.
First 15 minutes
Start with the lane that matches what you know right now.
| What happened | Do this first | Why it comes first |
|---|---|---|
| You got a paper letter but never opened a Medicare account | Call 1-800-MEDICARE and confirm the action was unauthorized | Official letters are tied to real account events and should be checked quickly |
| You can still sign in | Use a clean device to review the account and secure the identity service you use to log in | The attacker may still have a recovery path even if the account looks normal |
| You cannot sign in | Confirm the account state with Medicare, then work the official ID.me, CLEAR, or Login.gov support path | You need to know whether the blocker is Medicare or the identity provider |
| You see unfamiliar services, providers, or plan details | Review Medicare Summary Notices and Explanation of Benefits, then report suspicious activity | Claims misuse needs its own containment, separate from login recovery |
- Save the letter, screenshots, and any notices before you start changing anything.
- Use the official Medicare website or the phone number on your Medicare card, not numbers from random search results.
- Do not give your Medicare number or Social Security number to inbound callers who say they are helping.
- If you also see broader identity-theft signs, be ready to use IdentityTheft.gov.
Why the letter matters
Medicare's account-letter page says it sends letters when a new account is created, a password reset is requested, an account is closed, or a closed account is reopened. The same page says that if you did not take the action listed in the letter, you should call 1-800-MEDICARE right away. That means the letter is not something to ignore as generic mail. It is an audit trail for a real account event.
The timing matters too. Medicare says these letters usually arrive about two weeks after the action. So if a letter shows up late, the account event may already be old enough that you need to review notices and claims, not just the login itself.
Common mistake: assuming an account-creation letter is junk mail and throwing it away. Verify through official channels before you dismiss it.
If you got the letter but never created the account
Call 1-800-MEDICARE and say plainly that you received a letter confirming account activity you did not request. Ask the representative to confirm what action triggered the letter and what they want you to do next. Do not let the conversation drift into speculation about how the data was stolen. The practical goal is to establish whether an account exists, whether it was disabled, and whether any follow-up steps are required on your side.
- Keep the letter in front of you during the call.
- Write down the date, time, representative name, and any case number.
- Ask whether Medicare is issuing a new card or a new MBI.
- Ask what notices or claims you should review next.
If you later decide to create your own secure Medicare account, do it on your own terms through Medicare's official login page, not through a link in email, text, or social media.
Secure the real control plane: ID.me, CLEAR, or Login.gov
Medicare now routes secure account access through ID.me, CLEAR, or Login.gov. Medicare says these services verify identity so you are the only one who can access your information. If you already use one of them for Medicare, that service is now part of the recovery problem. A Medicare account can look stable while the identity-provider account behind it is still weak.
Start by securing the identity service you actually used. Change that password on a trusted device, review recovery methods, and remove any phone number or email address you do not control. If you use the same Login.gov or ID.me account for other government services, review those accounts too. The attack surface may be wider than Medicare.
Medicare also says you should use your own email address when signing up, not one shared with a spouse or family member. That is a privacy rule, but it is also a recovery rule. Shared inboxes blur who approved changes, who saw the letter, and who can reset the account later.
- Use a clean device for password changes.
- Confirm the email address on the identity-provider account is yours alone.
- Update recovery options before you log back in widely.
- If you cannot complete identity verification online, Medicare says in-person options may exist through ID.me or Login.gov, and 1-800-MEDICARE can help if you do not have a smartphone or computer.
If you can still sign in
Once you have secured the identity-provider account, check the Medicare account itself. Focus on evidence, not exploration. You are trying to answer three questions: did someone change contact information, did someone view or trigger plan activity, and is there any sign of claims or service history you do not recognize.
- Review profile and communication details.
- Check any messages, notices, or account-history areas for unexpected activity.
- Review plan and premium details for changes you did not make.
- Document anything unfamiliar before you start cleaning it up.
If the account looks wrong but you still have access, call Medicare while you are signed in. The combination of the live account and the phone call gives you the cleanest record of what changed and when.
If you cannot sign in
Do not keep guessing passwords or cycling through identity checks without a plan. Medicare's login help page makes the architecture clear: the gatekeeper is ID.me, CLEAR, or Login.gov. Sometimes the problem is the Medicare account. Sometimes the problem is the identity-provider account that is supposed to connect to it.
That is why the sequence matters. First confirm with 1-800-MEDICARE whether an unauthorized account was created or disabled. Then work the official support path for the sign-in service you use. If the letter says a password was reset or an account was reopened, tell both parties exactly which letter you received and when it arrived.
- Use only official support pages for ID.me, CLEAR, or Login.gov.
- Keep the same email address and identity story throughout recovery.
- Do not pay anyone promising "faster Medicare access" or "government escalation."
- If someone offers private recovery help through ads or DMs, treat it as a second scam. Use do not hire a hacker.
Review claims, notices, and benefits mail
CMS encouraged affected beneficiaries to review Medicare Summary Notices and Explanation of Benefits for unfamiliar charges or services. This step matters even if you were told the fraudulent account was deactivated. Account closure does not retroactively tell you what a bad actor may have seen or which provider details were exposed.
Look for things that change outcomes, not every small formatting difference.
| Signal | What it may mean | Best next move |
|---|---|---|
| An unfamiliar provider, test, or service | Possible claims misuse or exposed medical details | Report it to Medicare and keep the notice with the service date and amount |
| A new address or contact detail | Profile-level account access | Ask Medicare what changed and tighten the identity-provider account immediately |
| A new Medicare card arriving unexpectedly | Possible MBI replacement tied to suspected misuse | Follow Medicare's instructions and start using the new card as directed |
| Multiple suspicious notices across systems | Broader identity misuse beyond Medicare | Move into identity-theft cleanup as well |
Keep the physical documents. Medicare's fraud publication says reports work better when you have the service date, the amount paid, the notice date, and why you believe the service should not have been billed. That paperwork is not clutter. It is evidence.
If your Medicare number may have been exposed
A Medicare Beneficiary Identifier is not a password, but it is still sensitive. CMS said the unauthorized accounts in the 2025 incident were created using valid beneficiary information that included MBIs, coverage start dates, last names, dates of birth, and ZIP codes. That combination is enough to make a routine scam feel more convincing because the caller or letter can sound specific.
- Never give your Medicare number to an inbound caller, even if they already know part of it.
- Expect follow-on scams pretending to help with card replacement, account recovery, or plan enrollment.
- If CMS or Medicare tells you a new Medicare card and MBI are being issued, start using the new card as directed and stop using the old one.
- If you also exposed banking, tax, or Social Security information, move into broader cleanup at identity misuse or theft.
Safety note: a real Medicare problem increases your chance of getting a fake follow-up call. The second contact is often the scammer's next move, not the solution.
Report it with usable details
Medicare's fraud publication says you can report suspected fraud through 1-800-MEDICARE, the HHS Office of Inspector General hotline, or the online OIG complaint form. CMS also told beneficiaries in the June 30, 2025 incident notice to report suspicious activity to Medicare or the OIG and to use the FTC's identity-theft process if concerns arise.
- Medicare login and help: Medicare account log-in options
- HHS OIG fraud reporting: oig.hhs.gov/fraud/report-fraud/
- FTC identity theft workflow: IdentityTheft.gov
- Free annual credit reports if broader identity misuse is suspected: AnnualCreditReport.com
When you report it, have the letter, your Medicare card, the notice date, any suspicious claims, and your own timeline beside you. Specifics improve the report. Vague frustration does not.
How to keep the next step from going wrong
Most follow-on damage comes from confusion between the paper letter, the identity-provider account, and the Medicare account. Keep them separate in your notes. A letter tells you an event happened. ID.me, CLEAR, or Login.gov controls the identity gate. Medicare controls the account and the claims data.
- Use one private email address for your secure Medicare access.
- Store your Medicare card somewhere you can find it quickly, but not where others can casually photograph it.
- Review Medicare Summary Notices instead of ignoring them until open enrollment season.
- Use only direct, official channels for sign-in and support. No search-ad phone numbers.
- If the scam shifts into fake government warnings or urgent payment demands, compare it against government-impersonation patterns.
An unauthorized Medicare.gov account feels personal because it touches health information, government identity, and routine mail at the same time. That mix creates pressure to solve everything at once. Resist that. The win condition is simpler: confirm the account event, secure the identity service that controls access, then review claims and notices methodically.
CMS's June 30, 2025 notice matters because it clarified the real boundaries. Benefits and coverage are not automatically lost, fraudulently created accounts can be deactivated, and new MBIs can be issued when needed. That means recovery is less about panic and more about sequence.
The people who get through this cleanly are usually the ones who keep a short record, stay on official channels, and separate account recovery from identity-theft cleanup. Once those pieces are separated, the incident stops feeling like a government mystery and starts looking like a set of solvable tasks.
The strategic question is not whether someone touched the account. It is whether there is still an open path back into your Medicare identity. Close that path, and the rest of the work becomes verification.