Below is an article about the subject.
I need some education - why is this a big deal. Surely the codes are randomly selected. Certainly somebody might learn/guess my Medicare login. Maybe they will get my password, but gosh, golly begeebers when they try to log in from a machine Medicare does not recognize how would a 2FA code I got last week or even an hour earlier be useful at logging into my Medicare account?