- HHS OIG is investigating the Healthcare.gov portal data breach that put personal information on 75,000 individuals at risk.
So far, the office has determined that no PHI, banking, or tax information was exposed during the breach, according to CMS Media Relations Group Director Johnathan Monroe.
Monroe said that the Direct Enrollment pathway, the portal for agents and brokers, was up and running on Oct. 26, after being shut down following the breach’s discovery on Oct. 16. Other parts of the Healthcare.gov were not affected by the breach.
“I want to make clear to the public that HealthCare.gov and the Marketplace Call Center are still available, and open enrollment will not be negatively impacted,” explained CMS Administrator Seema Verma in the breach announcement. “We are working to identify the individuals potentially impacted as quickly as possible so that we can notify them and provide resources such as credit protection.”
Direct Enrollment pathway enables agents and brokers to complete consumer applications for healthcare coverage on federal health exchanges. To apply for health insurance, consumers must provide Social Security numbers, income, health insurance status, and citizenship or legal immigration status.
Following the breach, CMS worked with HHS OIG and CIO to improve the system’s security, Monroe related.
CMS said that the open enrollment period for federal health insurance will run from Nov. 1 to Dec. 15, 2018, for coverage beginning on Jan. 1, 2019.
“Consumer access to HealthCare.gov may be limited or restricted when this maintenance is required. Regular scheduled maintenance will continue to be planned for the lowest-traffic time periods on HealthCare.gov, including Sunday mornings,” CMS related.
“The purpose in scheduling these times is to minimize any consumer disruption. Like other IT systems, these scheduled maintenance windows are how CMS updates and improve our system to run optimally and are the normal course of business,” it added.
The Healthcare.gov portal, launched in 2013, has been plagued with cybersecurity issues. According to a 2016 report by GAO, Healthcare.gov had 316 security incidents between October 2013 and March 2015, with 41 of those incidents involving possible breaches of personally identifiable information.
“The majority of these incidents involved such things as electronic probing of CMS systems by potential attackers, which did not lead to compromise of any systems, or the physical or electronic mailing of sensitive information to an incorrect recipient,” the GAO report noted.
In its report, GAO found weaknesses in Healthcare.gov’s technical controls protecting data, including insufficient controls for administrator privileges, inconsistent security patch deployment, and inadequate administrative network safeguards.
The GAO report also noted that improvements were needed in the security of state-based marketplaces. CMS had not defined specific oversight procedures, such as the timing for when each activity should occur or what follow-up corrective actions should be performed, the report noted. CMS did not require sufficiently frequent monitoring of the effectiveness of security controls for state-based marketplaces, only requiring testing once every three years, it added.
“GAO identified significant weaknesses in the controls at three selected state-based marketplaces. These included insufficient encryption and inadequately configured firewalls, among others,” the report observed.
“Without well-defined oversight procedures and more frequent monitoring of security controls, CMS has less assurance that state-based marketplaces are adequately protected against risks to the sensitive data they collect, process, and maintain,” the report concluded.
The GAO report prompted some US senators and representatives to ask HHS and CMS for information on how many individuals’ records were compromised, whether the incident involved personally identifiable information, and whether those affected were notified. They also asked for the HHS Breach Response Team’s charter and standard operating procedures, annual reports, the CMS breach response plan, and after-action reports for each security incident.