- Partial Social Security numbers (SSNs), immigration status, and tax information might have been stolen as a result of the health data breach on the Healthcare.gov portal last month.
In October, CMS admitted to a breach of Healthcare.gov’s Direct Enrollment pathway, which enables agents and brokers to complete consumer applications for coverage by the federal healthcare exchanges.
At that time, CMS said that personal information on 75,000 individuals was at risk, but it did not say what information might have been compromised. This week, CMS increased the number of impacted people to 94,000.
It detected suspicious activity on Healthcare.gov on Oct. 13 and determined that a breach had occurred on Oct. 16. It took stems to secure the system and consumer information, including disabling the Direct Enrollment pathway for agents and brokers, and notified federal law enforcement. The Direct Enrollment pathway was reactivated on Oct. 26 after additional security measures were implemented.
In a letter sent last week to affected individuals, CMS said that the compromised information may have included names, dates of birth, last four digits of SSNs, income, tax filing status, family relationships, immigrant status, immigration document types and numbers, employer names, health insurance status, results of the application for healthcare coverage, the names of insurance plan, premium, and dates of coverage.
The letter stressed that bank account numbers, credit card numbers, and diagnosis or treatment data were not accessible to the hackers.
CMS said it is offering free identity theft protection services for those impacted by the breach.
“We are continuing to investigate this breach and putting additional security measures in place to make sure HealthCare.gov and the Marketplace process are safe and all consumer information is protected. Please be assured that all information will be protected during Open Enrollment,” the letter read.
Healthcare.gov has had a rocky history when it comes to data security. A 2016 GAO report estimated that the website had 316 security incidents between October 2013 and March 2015.
The government watchdog identified weaknesses in the website’s technical controls protecting data, including insufficiently restricted administrator privileges for data hub systems, inconsistent application of security patches, and insecure configuration of an administrative network.
“In addition to the above weaknesses, we identified other security weaknesses in controls related to boundary protection, identification and authentication, authorization, encryption, audit and monitoring, and software updates that limit the effectiveness of the security controls on the data hub and unnecessarily place sensitive information at risk of unauthorized disclosure, modification, or exfiltration,” GAO said.
In response to the GAO report, Republican lawmakers sent a letter to HHS asking for information on how many individuals’ records were compromised, whether the incident involved personal information, and whether those affected were notified.
They also asked for the HHS Breach Response Team’s charter and standard operating procedures, annual reports, the CMS breach response plan, and after-action reports for each security incident.
In addition, Todd Park, the former US chief technology officer, was subpoenaed by the House Science, Space, and Technology Committee in October 2014 to testify about his role in developing the Healthcare.gov website.
“The Obama administration has failed to provide this committee with information about the security of the Obama Care website,” said Committee Chairman Lamar Smith, who issued the subpoena. “What is the White House trying to hide? The American people deserve to know their personal information on HealthCare.gov is absolutely secure.”
In July of that year, hackers broke into the Healthcare.gov server and deployed malware designed for use in future cyberattacks.
The server was used for code testing. HHS said that the portions of the site with PHI had more security protections and that the hackers were unable to get access through the network. HHS learned of the server breach on August 25 during a normal security scan.
“Our review indicates that the server did not contain consumer personal information; data was not transmitted outside the agency, and the website was not specifically targeted,” said HHS. “We have taken measures to further strengthen security.”
This story has been updated to include CMS' latest tally of impacted victims.