- Republican Senate and House committee leaders are asking government officials to provide them with information regarding potential patient privacy issues and security incidents that occurred on Healthcare.gov, the website for statewide health insurance marketplaces.
Members of Congress wrote a letter to Secretary of the Department of Health & Human Services Sylvia Burwell and Acting Administrator for the Centers for Medicare & Medicaid Services Andy Slavitt, requesting the agencies provide further information in response to a recent report from the Government Accountability Office (GAO).
The report states that Healthcare.gov fell victim to a total of 316 security incidents between October 2013 and March 2015, with 41 of those incidents involving personally identifiable information.
According to GAO, most of these were minor incidents involving electronic probing, and most did not result in the compromise of any data systems or the disclosure of health data into malicious hands.
“According to GAO’s review of CMS records for this period, the majority of these incidents involved such things as electronic probing of CMS systems by potential attackers, which did not lead to compromise of any systems, or the physical or electronic mailing of sensitive information to an incorrect recipient,” the report stated. “None of the incidents included evidence that an outside attacker had successfully compromised sensitive data, such as personally identifiable information.”
However, during its investigation, GAO found that CMS had security gaps in its technical safeguards, including the following:
- insufficiently restricted administrator privileges for data hub systems,
- inconsistent application of security patches, and
- insecure configuration of an administrative network.
GAO found some other security issues, which were detailed in closed report alongside 27 suggested items for CMS to mitigate these issues.
After consulting the report, the signed congressmen – including Senators Lamar Alexander, Orrin Hatch, Chuck Grassley, John Thune, Rob Portman, and Representatives Fred Upton, Kevin Brady, and Jason Chaffetz – penned their letter requesting more information regarding the reported data security incidents.
This letter is a follow-up to two previous letters sent in September 2014 and January 2015. In it, the Congress leaders asked for such information as incidents involving personally identifiable information, and incidents resulting in the sharing of data with unauthorized third parties.
Specifically, the group asked for a complete list of all Healthcare.gov incidents since March 2013, how many individuals’ records were breached in each incident, whether the incident involved personally identifiable information, and whether the potentially affected individuals were notified of the incidents.
Additionally, the group asked for HHS’s Breach Response Team’s charter and operating procedures, annual reports since 2013, the CMS breach response plan, and after-action reports following each security incident.
The signatories gave HHS and CMS the deadline of April 6 to complete the requested actions. They also requested that if the agencies had not notified all potentially affected individuals of any security incidents, to do so immediately.
Healthcare.gov representatives have maintained their commitment to healthcare data security in the past. Just last year, the marketplace’s CEO Kevin Counihan explained the specific steps they were taking to protect consumer information.
“While we have taken steps to improve HealthCare.gov, we know building and maintaining a website is an evolving process,” Counihan wrote in a blog post. “That’s what we’ve done by reviewing the tools on HealthCare.gov and by adding a layer of encryption to the URL on the Window Shopping tool.”
Protecting Healthcare.gov is an ongoing process, Counihan had said. As made evident by the recent GAO report, that process is still continuing.
“We are looking at whether there are additional steps we should take to improve our efforts,” Counihan wrote. “While this process is ongoing, we have taken action that we believe helps further increase consumer privacy.”