Medicare QR Code Scam: What It Is and What to Do

Medicare does not send QR codes

The Centers for Medicare & Medicaid Services (CMS) does not contact beneficiaries via QR codes — not in letters, not in texts, and not in emails. If you receive any message claiming to be from Medicare that includes a QR code, it is a scam regardless of how official it looks.

Medicare communicates with beneficiaries primarily through official mail and through medicare.gov. It does not send unsolicited texts or emails asking you to verify your card, update your information, or scan a code. Any QR code in a so-called Medicare communication was placed there by a scammer.

Your Medicare number is treated as sensitive as your Social Security number — in fact, it was changed in 2018 specifically to remove Social Security numbers from Medicare cards after widespread fraud. Exposing your Medicare number can lead to identity theft, fraudulent medical billing in your name, and insurance fraud that may affect your future coverage.

The three variants of the Medicare QR code scam

Scammers run this scheme through three channels, each exploiting a different fear or expectation.

The mailed-card variant is the most convincing. You receive a printed letter that looks like official CMS correspondence — sometimes complete with a government seal, a fake CMS employee name, and a case number. The letter claims your Medicare card is expiring or that a new, updated card is being issued. It instructs you to scan a QR code to "activate your new card" or "verify your identity to receive it." The code leads to a fake CMS website that collects your Medicare number, date of birth, and sometimes your Social Security number or bank account for "direct deposit of your reimbursement."

The robocall-to-QR funnel combines two tactics. An automated call warns you that your Medicare benefits are suspended due to "suspicious activity" or that you need to confirm your enrollment. The caller tells you to watch for a follow-up text with a QR code. The text arrives minutes later, and scanning it opens a credential-harvesting page. The two-step approach makes the scam feel more procedural — and therefore more legitimate.

The fake "new Medicare card" scam claims the government is issuing updated Medicare cards — sometimes citing a real policy change to make it sound plausible. The letter or text says your new card will only be sent after you verify your current information by scanning a QR code. This variant is especially effective because the 2018 card redesign is well-known, making beneficiaries more receptive to the idea that another card update could happen. As with the other variants, the QR code leads to a phishing page designed to collect your Medicare number, Social Security number, and other personal details. For context on why QR codes are used instead of plain links, see what quishing is and how it works.

What to do if you scanned it

Your response depends on what happened after you scanned.

If you only scanned and didn't enter any information: Your risk is low. Close the page, do not return to it, and report the contact to HHS.

If you entered your Medicare number, Social Security number, or other personal information, act immediately:

1. Report to the HHS Office of Inspector General. File a report online at oig.hhs.gov or call 1-800-HHS-TIPS (1-800-447-8477). The OIG investigates Medicare fraud and benefits from every report.
2. Report to the FTC. File a report at reportfraud.ftc.gov. The FTC coordinates with law enforcement to act on these reports.
3. Place a fraud alert with the credit bureaus. Contact Equifax, Experian, or TransUnion — one contact triggers an alert at all three. If you provided your Social Security number, consider a full credit freeze.
4. Monitor your Medicare Summary Notice. Review your MSN or Medicare claims history at medicare.gov for any services, equipment, or prescriptions you did not receive. Medical identity theft can go undetected for months.
5. Contact your Medicare Advantage plan if you have one. Notify them of the potential compromise so they can flag your account for suspicious billing.
6. Contact your bank or card issuer if you entered payment information. Request a dispute on any unauthorized charges.

For a full recovery checklist after any suspicious scan, see what to do if you scanned a suspicious QR code.

How to avoid the scam next time

The core rule: if a message claims to be from Medicare and contains a QR code, it is not from Medicare. But here is how to protect yourself and a Medicare recipient you care for:

• Check any QR code with QRsafer first. QRsafer checks the destination URL against threat intelligence databases before your browser loads the page. A phishing page impersonating CMS will not pass a threat check.
• Manage your Medicare account directly. Go to medicare.gov yourself — never follow a QR code or link in an unsolicited message. If there is truly an issue with your account, you will see it there.
• Call Medicare to verify. The official Medicare helpline is 1-800-MEDICARE (1-800-633-4227). Any real notice can be verified with a representative. If the communication is fake, you just avoided the scam.
• Guard your Medicare number like your SSN. Your Medicare Beneficiary Identifier (MBI) should never be shared over a QR code, a website you reached through an unsolicited message, or with anyone who called or texted you unexpectedly.

This same impersonation tactic — a government agency demanding action via QR code — is used by fake IRS QR code scammers and Social Security impersonators. The defense is the same in every case: never follow a QR code to log in or provide personal information in response to unsolicited contact.

Frequently asked questions