- Personal information of around 75,000 individuals is at risk from a health data breach that affected a Healthcare.gov portal for agents and brokers, CMS announced Oct. 19.
The breached portal, called the Direct Enrollment pathway, allows agents and brokers to complete consumer applications for coverage on the federal facilitated healthcare exchanges.
Consumers are required to provide Social Security numbers, income, health insurance status, and citizenship or legal immigration status when applying for healthcare insurance on the portal.
CMS said that it detected suspicious activity on Healthcare.gov on Oct. 13 and determined that a breach had occurred on Oct. 16. It took stems to secure the system and consumer information, including disabling the Direct Enrollment pathway for agents and brokers, and notified federal law enforcement.
CMS said it is implementing additional security measures and plans to restore the Direct Enrollment pathway for agents and brokers by Oct. 26. Other enrollment channels remain operational.
“I want to make clear to the public that HealthCare.gov and the Marketplace Call Center are still available, and open enrollment will not be negatively impacted,” said CMS Administrator Seema Verma. “We are working to identify the individuals potentially impacted as quickly as possible so that we can notify them and provide resources such as credit protection.”
Early on, the Healthcare.gov portal, launched in 2013, was plagued with cybersecurity issues. According to a 2016 report by GAO, Healthcare.gov had 316 security incidents between October 2013 and March 2015, with 41 of those incidents involving possible breaches of personally identifiable information.
“The majority of these incidents involved such things as electronic probing of CMS systems by potential attackers, which did not lead to compromise of any systems, or the physical or electronic mailing of sensitive information to an incorrect recipient,” the GAO report noted.
GAO identified weaknesses in Healthcare.gov’s technical controls protecting data, including insufficiently restricted administrator privileges for data hub systems, inconsistent application of security patches, and insecure configuration of an administrative network.
“In addition to the above weaknesses, we identified other security weaknesses in controls related to boundary protection, identification and authentication, authorization, encryption, audit and monitoring, and software updates that limit the effectiveness of the security controls on the data hub and unnecessarily place sensitive information at risk of unauthorized disclosure, modification, or exfiltration,” GAO said.
The report acknowledged that CMS had taken steps to improve data security on Healthcare.gov, such as developing required security program policies and procedures, establishing interconnection security agreements with its federal and commercial partners, and instituting required privacy protections.
The GAO report prompted some US senators and representatives to send a letter to HHS and CMS asking for additional information on the security incidents. Specifically, the lawmakers asked for information on how many individuals’ records were compromised, whether the incident involved personally identifiable information, and whether those affected were notified. They also asked for the HHS Breach Response Team’s charter and standard operating procedures, annual reports, the CMS breach response plan, and after-action reports for each security incident.
The 2016 GAO report also noted that improvements were needed in the security of state-based marketplaces. CMS had not defined specific oversight procedures, such as the timing for when each activity should occur or what follow-up corrective actions should be performed, the report noted. CMS did not require sufficiently frequent monitoring of the effectiveness of security controls for state-based marketplaces, only requiring testing once every three years, it added.
“GAO identified significant weaknesses in the controls at three selected state-based marketplaces. These included insufficient encryption and inadequately configured firewalls, among others,” it observed.
“Without well-defined oversight procedures and more frequent monitoring of security controls, CMS has less assurance that state-based marketplaces are adequately protected against risks to the sensitive data they collect, process, and maintain,” the report concluded.