The Trump administration inadvertently exposed Social Security numbers for at least 100 health providers included in a national directory.
The Centers for Medicare and Medicaid Services on Thursday pulled down the National Provider Directory, which contains public information on more than 7 million medical providers and can be used by members of the public to find a doctor or other health care professional. The decision came after CMS admitted that a relatively small number of Social Security numbers were exposed in a file of downloadable data in a part of the directory primarily intended for insurers and researchers.
The Washington Post first reported the data exposure after alerting CMS so the agency would have time to rectify it.
Before the database was taken offline, a member of the public with knowledge of the data provided POLITICO with a list of medical providers identified as potentially having their Social Security numbers included in the downloadable file. POLITICO confirmed that at least 102 providers had their full, unredacted Social Security numbers included in the database. The source was granted anonymity to share the sensitive information.
The Social Security numbers appeared in a column that typically contains information about the provider’s qualifications, such as their state license number. CMS asks providers for their Social Security numbers in another part of the form the agency requires them to fill out, but it’s unclear why the numbers also showed up in the provider qualifications space.
CMS said the health care providers or their representatives submitted them in the wrong place. It’s unclear whether the agency checked the forms after submission before uploading them to the database on April 6.
“The agency has taken steps to address it promptly and reinforce safeguards around data submission and validation,” it said in a statement Thursday evening. The agency said that there are areas where "data quality and collection processes can be strengthened.”
The agency has not yet responded to follow-up questions. Several medical providers whose Social Security numbers were exposed have also not responded to requests for interviews.
The database was publicly accessible and could be downloaded by anyone, but the large data files are primarily intended for insurers and other health care companies to create search tools for patients to find providers on their websites. Patients using an online search tool likely would not have been able to see the providers' Social Security numbers.
The idea of a national provider directory has spanned the last two administrations. Former President Joe Biden’s administration asked for information from the public in 2022 to help develop one.
The Trump administration announced the launch of the directory in July 2025. In November of last year, CMS rolled out part of it, offering Medicare Advantage provider data for patients to search. The full directory is expected to launch later this year.
Officials have bemoaned a lack of transparency and accuracy in Medicare Advantage insurer provider network listings. Patients sometimes sign up for one of the privately-run plans because their providers are included in the listings and then find out later that the information was erroneous.
CMS has had other data accuracy and privacy issues. A different directory released last year inadvertently listed the wrong health insurers accepted by providers.
A data privacy expert said he isn’t surprised that the data was inadvertently exposed.
“We have seen in a lot of contexts this administration brushing aside privacy safeguards and consolidating data and providing access between or across agencies and sidelining privacy officials,” said John Davisson, director of enforcement for the Electronic Privacy Information Center, a data privacy advocacy and research group.
One high-profile example was last year when the Trump administration released unredacted files related to the assassination of President John F. Kennedy and exposed the social security numbers of former congressional staffers and others.
