Problems Related to Data Security on ACA Exchanges

VII. Key Issues: Regulation & Reform >> C. Health Reform >> Affordable Care Act (ACA) >> ACA Repeal >> Components of ACA Not Working Well >> Health Exchanges (last updated 1.27.22)

Topic Outline

1 Threats to Privacy
2 Opportunities for Fraud/Identity Theft
3 Cybersecurity Threats

Threats to Privacy

Threats to privacy on the Exchanges arise due to their intrinsic design and were further aggravated by the hasty rollout. Some Americans have concerns about their privacy as it relates to what the government knows about them; such concerns over privacy in the exchanges parallel concerns over privacy related to national security. Companion concerns about whether unauthorized private citizens will make use of this information for fraudulent purposes such as identity theft are addressed in the subsequent section.
According to the Morning Consult (11.2.15), Americans are “less confident that their private information is secure on the Obamacare exchanges. In a September 2014 poll, 43 percent of respondents said they thought their private information was safe on HealthCare.gov or a state Obamacare exchange. This year’s poll put that percentage down to 34 percent.” Privacy concerns may in part explain why “only 24 percent of respondents said they plan to visit an exchange site within the next few months,” down from 65 percent when the exchanges launched in 2013.

Intrinsic Design of the Data Services Hub

The Data Services Hub (Hub) — characterized by Business Week as “one of the most complex computer projects in the government’s history” — will serve as the single entry point for state exchanges through which they will be able to access information they need, from across a number of federal agencies, to enroll individuals in coverage. While personal data will not be stored in the Hub, any breach of the Hub’s security would provide easy access to the personal information of millions of Americans.
The purpose of the Hub is to confirm personal characteristics that include their identity, citizenship, income and family size — even whether they’re incarcerated — as a way to determine eligibility.
A regulatory notice filed by the administration in February “describes a new ‘system of records’ that will store names, birth dates, Social Security numbers, taxpayer status, gender, ethnicity, email addresses, telephone numbers on the millions of people expected to apply for coverage at the ObamaCare exchanges, as well as ‘tax return information from the IRS, income information from the Social Security Administration, and financial information from other third-party sources.’ They will also store data from businesses buying coverage through an exchange, including a ‘list of qualified employees and their tax ID numbers,’ and keep it all on file for 10 years.”
In addition, the filing says the federal government can disclose this information ‘without the consent of the individual’ to a wide range of people, including ‘agency contractors, consultants, or grantees’ who ‘need to have access to the records’ to help run ObamaCare, as well as law enforcement officials to ‘investigate potential fraud.'”
Examples of privacy breaches that highlight the risks to privacy posed by the Hub:

WellPoint Inc. in July 2013 paid $1.7 million to settle potential violations of U.S. privacy laws when a company website left the health data of 612,402 customers unprotected over the Internet.
The National Security Agency broke privacy rules or illegally overstepped its authority thousands of times to obtain communications of U.S. citizens and foreigners in the U.S., according to a report in the Washington Post.
Likewise, Administration officials appear to have lied repeatedly about the status of efforts to ensure security on the Hub.

Hasty Rollout

Six key milestone deadlines designed to ensure privacy protection were either missed or pushed back (see graph). The final certification was scheduled for Monday, September 30 – the day before the Exchanges opened for business on October 1.

Privacy on HealthCare.gov

Bill Addresses HealthCare.gov Privacy Issue. “A recently introduced bi-partisan bill would require that new privacy measures be implemented on the HealthCare.gov insurance exchange site to give consumers more control over their personal data.The Healthcare Consumer Privacy Act, H.R. 5610, introduced last week by Rep. Robert Hurt, R-Va. and Rep. John Barrow D-Ga., proposes that the Affordable Care Act, commonly known as Obamacare, be amended to allow consumers to remove their profiles on HealthCare.gov if they choose not to enroll in coverage offered on federally facilitated exchanges.” (Healthcare Info Security, 10.1.14)
US Department of Health and Human Services Privacy Impact Assessment (11/16/2016).

Private Firm Data-mining

Obama Administration Reverses On Health Care Privacy Problem. ’Bowing to privacy concerns, the Obama administration reversed itself Friday, scaling back the release of consumers’ personal information from the government’s health insurance website to private companies with a commercial interest in the data. The administration made the changes to HealthCare.gov after The Associated Press reported earlier this week that the website was quietly sending consumers’ personal data to companies that specialize in advertising and analyzing Internet data for performance and marketing…The changes were confirmed by Cooper Quintin, a staff technologist with the Electronic Frontier Foundation, a civil liberties group. Quintin called it ‘a great first step,’ but said the administration needs to do more.” (Associated Press, 1.23.15)
Analyst: Private Firms’ Access to Obamacare User Info ‘Incomprehensible.’“Allowing dozens of companies access to Obamacare users’ personal health care information was ‘digital overkill,’ and compromised millions of Americans’ online security, an analyst told a congressional panel looking into the issue this month. An Associated Press story revealed last month that the federal government had authorized as many as 50 private companies, including Google, Twitter and Facebook, to track and record healthcare.gov users’ information. The Obama administration said the use of third party ‘data mining’ is necessary to help understand who uses the site, as well as how and when they use it…’ Adding third-party applications without proper due diligence and compliance speaks to the continued lack of oversight and management of the security of the site,’ Wright said. ‘Willfully or unintentionally ignoring established… security controls in order to [allow access by] 50 third parties is incomprehensible.’… Not only did users of the site not authorize the collection of their personal data by private firms, they also didn’t know that collection was going on in the first place, De Mooy explained.” (PJ Media, 2.22.15)

Opportunities for Fraud/Identity Theft

Substantial private information will be collected by navigators. As well, the data system itself is vulnerable to hacking.

Judicial Watch.“Hundreds of new documents obtained by Judicial Watch through a Freedom of Information Act Lawsuit show Health and Human Services officials were repeatedly warned by security contractor Mitre Corporation that the site was not properly protected. According to the government watchdog group, “an unsigned Authorization to Operate prepared just five days before Obamacare’s launch, indicates that the site’s validation contractor was unable to adequately test the confidentiality and integrity of the [Federally Facilitated Marketplace] system in full. That contractor, Blue Canopy, noted that they were able to access data ‘that should not be publicly accessible.'” The website was at such high risk, the Centers for Medicare and Medicaid Services edited a public memo stating consumers could fully trust the system would protect their private medical and personal information… ‘From its start, Obamacare was a project that its promoters were determined to inflict on us whether it was ready or not. And clearly it was not. Anyone who uses the Obamacare web site does so at great risk to their private information. Let this be a lesson for those in Washington who are now trying to clean up this mess.’” (Townhall, 4.18.17)
DHHS OIG Findings. According to the Office of the Inspector General of the Department of Health and Human Services, Obamacare’s exchanges may end up illegally exposing Americans’ private records to hackers and criminals.
- More Data Vulnerabilities, Cyber Breaches Detected In Healthcare Exchanges.“Government audits continue to reveal that millions of people’s personally identifiable information is at risk. Continuous audit reports by the Office of the Inspector General (OIG) of The Department of Health and Human Services (HHS) reveal that online health care insurance exchanges could be the next juicy target for hackers looking for consumers’ personal information. To date, the OIG has identified security vulnerabilities in the federal exchange, and in the state exchanges in California,Kentucky, and New Mexico. While all the audited entities have begun the necessary bulwarking of their exchanges, there is room for improvement” (Above the Law, 10.30.15).
- Obamacare Database With Personal Information on Millions Had ‘Basic Security Flaws.’ “The government stored sensitive personal information on millions of health insurance customers in a computer system with basic security flaws, according to an official audit that uncovered slipshod practices. The Obama administration said it acted quickly to fix all the problems identified by the Health and Human Services inspector general’s office. But the episode raises questions about the government’s ability to protect a vast new database at a time when cyberattacks are becoming bolder. Known as MIDAS, the $110-million system is the central electronic storehouse for information collected under President Barack Obama’s health care law. It doesn’t handle medical records, but it does include names, Social Security numbers, birthdates, addresses, phone numbers, passport numbers, employment status and financial accounts of customers on HealthCare.gov and state insurance marketplaces.” (Washington Free Beacon, 9.24.15)
Treasury Inspector General: IRS Needs More Safeguards in Handling Obamacare Tax Data. “The IRS should do more to make sure federal taxpayer information does not fall into the wrong hands when it provides data to Obamacare’s insurance exchanges, the agency’s auditor said Thursday. While investigators didn’t say any data has been lost or stolen yet, Inspector General J. Russell George said the IRS needs to tighten its security protocols and to make sure exchanges and other state agencies with access to data from the Affordable Care Act submit to an independent security assessment beforehand.” (Washington Times, 10.23.14)
GAO Probe: HealthCare.gov Website Must Boost Security. “HealthCare.gov, the health insurance website serving more than 5 million Americans, has significant security flaws that put users’ personal information at risk, nonpartisan congressional investigators have concluded. The Government Accountability Office said the Obama administration must resolve more than 20 specific security issues related to who can get into the system, who can make changes in it and what to do in case the complex network fails.” (The Associated Press, 9.16.14)
State Attorneys General Express Concerns. Florida Attorney General Pam Bondi has said that the Department of Health and Human Services (HHS) is making it easier for someone to be hired as a so-called navigator, cutting back on background checks and eliminating a fingerprinting requirement, which could make it easier for a person’s private information to fall into the wrong hands. According to Bondi: “And it’s more than navigators. It’s people that assist the navigators. Now, these navigators will have our consumers throughout the country’s most personal and private information — tax return information, Social Security information. And our biggest fear, of course, is identity theft. ”In mid-August 2013, Bondi and a dozen other Republican state attorneys general sent HHS Secretary Kathleen Sebelius a letter calling her attention to this privacy issue and asking her to implement more stringent privacy requirements and safeguards. They gave Sebelius until Aug. 28 to respond. The letter was organized by West Virginia Attorney General Patrick Morrisey and signed by attorneys general from Alabama, Florida, Georgia, Kansas, Louisiana, Michigan, Montana, Nebraska, North Dakota, Oklahoma, South Carolina and Texas.
Diane Black. ObamaCare Security: Still on Life Support. Wall Street Journal, 11.14.14.
- HealthCare.gov houses vast amounts of sensitive personal enrollment information—from full, legal names, to Social Security numbers, dates of birth and even income information. This wealth of private information on HealthCare.gov has been described by experts as a “hacker’s dream.”
- In September, GAO released a report finding more than 20 specific security-related issues to HealthCare.gov that should be resolved and found that the federal government had not always enforced strong password controls, adequately restricted access to the Internet or consistently implemented software patches. The agency reported that “until these weaknesses are fully addressed, increased and unnecessary risks remain of unauthorized access, disclosure, or modification of the information collected and maintained by HealthCare.gov and related systems.”
- The HHS inspector general followed up a week later, noting that while the website has improved, more work must be done to ensure security.
- In October the Treasury Department’s inspector general raised another flag, warning that the Internal Revenue Service needs to tighten security protocols when releasing sensitive taxpayer information to the health-care exchanges.
According to AP 7.30.14, “Tavenner took the unusual step of signing the operational security certificate for HealthCare.gov herself, after CMS security professionals balked. The site has since passed full security testing.”
Herb Weisbaum, “Obamacare Is Coming, And So Are The Con Artists,” CNBC, 8/15/13.
- “As the debate rages over who benefits from the Affordable Care Act, one thing is becoming clear: The controversial program is a dream come true for rip-off artists. Consumer experts warn that the program has created a huge opportunity for swindling people by stealing their money and their sensitive personal information.”
- “Scammers have been at it for more than a year now, but consumer advocates and security experts warn that the problem will worsen as we get closer to Oct. 1. That’s when the millions of uninsured Americans can use a health insurance exchange, set-up by their state or by the federal government, to shop for coverage. ‘I believe the incidents are going to skyrocket as that date approaches,’ said Eva Velasquez, president and CEO of the nonprofit Identity Theft Resource Center. ‘And even people who are smart and savvy could get taken, so we are very concerned about the potential for some serious financial harm.’”

Cybersecurity Threats

ObamaCare Enrollment Portal Breached. “The sensitive personal information of around 75,000 people was compromised last month after a government portal used to help people enroll in health plans through the Affordable Care Act’s insurance marketplace was hacked, officials said Friday… CMS spokesman Johnathan Monroe said the HealthCare.gov website used by the general public was not affected. ‘This concerns the [insurance] agent and broker portal, which is not accessible to the general public,’ he said. Consumers applying for health coverage have to provide personal information such as Social Security numbers, income and citizenship or immigration status. The thousands of people affected by the breach make up a small share of the 8.7 million people who signed up for this year’s coverage.” (Fox News, 10.20.18)
The Belarusian Connection: Obamacare Network Vulnerable to Cyber Attack. In late January 2014, U.S. intelligence agencies urged the Obama administration to check its new healthcare network for malicious software after learning that developers linked to the Belarus government helped produce the website, raising fresh concerns that private data posted by millions of Americans will be compromised. The intelligence agencies notified the Department of Health and Human Services, the agency in charge of the Healthcare.gov network, about their concerns last week. Specifically, officials warned that programmers in Belarus, a former Soviet republic closely allied with Russia, were suspected of inserting malicious code that could be used for cyber attacks, according to U.S. officials familiar with the concerns.
Washington Won’t Reveal Records on Health Website Security. “The Centers for Medicare and Medicaid Services denied a request by The Associated Press under the Freedom of Information Act for documents about the kinds of security software and computer systems behind the federally funded HealthCare.gov. The AP requested the records late last year amid concerns that Republicans raised about the security of the website…Keeping details about lockdown practices confidential is generally derided by information technology experts as ‘security through obscurity.’ Disclosing some types of information could help hackers formulate break-in strategies, but other facts, such as numbers of break-ins or descriptions of how systems store personal data, are commonly shared in the private sector. ‘Security practices aren’t private information,’ said David Kennedy, an industry consultant who testified before Congress last year about HealthCare.gov’s security.” (Associated Press, 8.19.14)
Hackers Break Into Server for Obamacare Website: U.S. Officials. “An unknown hacker or hackers broke into a computer server supporting the HealthCare.gov website through which consumers enroll in Obamacare health insurance, a government cybersecurity team discovered last week, apparently uploading malicious files. The Centers for Medicare and Medicaid Services, the lead Obamacare agency, briefed key congressional staff on Thursday about the intrusions, the first of which occurred on July 8, CMS spokesman Aaron Albright said. The malware uploaded to the server was designed to launch a distributed denial of service, or DDoS, attack against other websites, not to steal personal information, Albright said.” (Reuters, 9.4.14)
GAO: HealthCare.gov Has Security Flaws. “A Government Accountability Office report issued Sept. 16 says the Department of Health and Human Services unit that runs HealthCare.gov, the Centers for Medicare & Medicaid Services, has not always required or enforced strong password controls, adequately restricted access to the Internet, consistently implemented software patches and properly configured an administrative network. ‘An important reason that all of these weaknesses occurred and some remain is that CMS did not and has not yet ensured a shared understanding of how security was implemented for the FFM among all entities involved in its development,’ the audit says, referring to the federally facilitated marketplace, the part of Obamacare run by the federal government on behalf of 36 states.’Until these weaknesses are fully addressed, increased and unnecessary risks remain of unauthorized access, disclosure or modification of the information collected and maintained by HealthCare.gov and related systems, and the disruption of service provided by the systems,’ the report says.” (Healthcare Info Security, 9.17.14)