Medicare and Medicaid's Blue Button APITrack this API has been taken offline. The API allows third-party applications to access Medicare claims data. On December 4, 2019, an API partner reported "a data anomaly with the Blue Button 2.0 API". Medicare and Medicaid subsequently discovered a bug that caused certain protected health information to be inadvertently shared.
Those affected are being contacted directly by the government agency. The API will remain closed until it has conducted a full review and resolution. Other services including Plan Finder, Medicare.gov, and other services were not affected.
The agency described the incident in detail in a blog post announcement:
"Medicare beneficiaries use BB2.0 to authorize third-party applications to access their own Medicare claims data. The BB2.0 system verifies user credentials with a CMS identity management system, ensuring correct beneficiary data is passed to the third-party application. In order to do this, BB2.0 identifies beneficiaries based on a randomly generated, unique user ID returned by the identity management system. We discovered BB2.0 was truncating a 128-bit user ID to a 96-bit user ID. The 96-bits remaining were not sufficiently random to uniquely identify a single user. This resulted in the same truncated user ID being assigned to different beneficiaries. Because BB2.0 was truncating the user ID provided by the identity management system, some beneficiaries with the same truncated ID were passed data pertaining to other users via BB2.0."
It is estimated that less than 10,000 beneficiaries' data was affected. Those affected will receive a letter directly from the government agency, and that letter will discuss remediation efforts and next steps. Review the blog post announcement for a complete list of applications affected.