The OIG has given the CMS mixed reviews regarding the extent to which it meets American Recovery and Reinvestment Act (Recovery Act) requirements to notify affected beneficiaries when the privacy or security of their protected health information is compromised. In the report, “CMS Response to Breaches and Medical Identity Theft,” the OIG assesses how CMS responded to 14 breaches of protected health information requiring notification under the Recovery Act between September 23, 2009 and December 31, 2011. While CMS notified the 13,775 Medicare beneficiaries affected by the breaches, the OIG concluded that in some cases the agency did not meet all Recovery Act requirements. For instance, in half the cases, CMS did not meet the 60-day deadline for notification, and in some cases the notifications were missing required information. The OIG discusses progress CMS has made in developing a compromised provider/supplier number database for contractors, but the OIG found that contractors do not consistently develop edits to stop payments on compromised numbers. The OIG recommends that CMS take a series of steps to ensure that breach notifications meet Recovery Act requirements, including improving the use of the compromised number database and developing a method to ensure that beneficiaries who are victims of medical identity theft retain access to services.