Governance & Risk Management , Healthcare , Incident & Breach Response
Breach of Obamacare Site Spilled Sensitive Data94,000 Victims' Income, Pregnancy Status and More Potentially Exposed
(In a Nov. 13 update, the Centers for Medicare & Medicaid Services states: " We are continuing to work with law enforcement to investigate the breach, and our estimate of affected consumers has been updated to a final total of 93,689.")
More than two weeks after announcing that the Obamacare website, HealthCare.gov, had been hacked, the Department of Health and Human Services has revealed that the breach exposed a wealth of information, including partial Social Security numbers and immigration status.
In its Oct. 19 statement, which was scant on details, the Centers for Medicare and Medicaid Systems - the unit of the Department of Health and Human Services that administers the Affordable Care Act, also known as Obamacare - acknowledged that data on 75,000 individuals was exposed. Now, in a notification letter dated Nov. 7 that's hidden on the HealthCare.gov website, HHS is describing that data (see: Obamacare System Breach Affects 75,000).
"HealthCare.gov includes a way for licensed insurance agents and brokers to search for consumers who have an application stored on HealthCare.gov. This allows agents and brokers to help some consumers update their applications if any information changes," the letter notes.
"On October 16, 2018, we found that a number of agent and broker accounts engaged in excessive searching for consumers, and through those searches, had access to the personal information of people who are listed on Marketplace applications," the letter states. "We immediately shut off these agent and broker accounts, and also shut off the entire agent and broker function while changes were made to improve security."
Data that may have been inappropriately accessed, according to the letter, includes:
- Name, date of birth, address, gender and the last four digits of the Social Security number;
- Expected income, tax filing status, family relationships, whether the applicant is a citizen or an immigrant, immigration document types and numbers, employer name, whether the applicant was pregnant and whether the applicant already had health insurance;
- Information provided by other federal agencies and data sources to confirm the information provided on the application;
- The results of the application, including whether the applicant was eligible to enroll in a qualified health plan, and if eligible, the tax credit amount;
- If the applicant enrolled, the name of the insurance plan, the premium and dates of coverage.
"The information that was accessible did not include bank account numbers, credit card numbers or diagnosis or treatment information," states the letter, which does not reveal the details of how the website was hacked.
Attorney Adam Greene of the law firm Davis Wright Tremaine notes: "The limited good news is that full Social Security numbers were not exposed. CMS should be commended for limiting access to the full SSNs; otherwise this could have been much worse. The bad news is that this is otherwise what everyone feared with respect to HealthCare.gov. The site collects a lot of personal data and is an attractive target to hackers or insiders abusing their access."
ID Theft Protection Offered
The letter notes that HHS will provide those whose data was exposed with free identity theft protection services.
"At this time, we don't know whether all of this information was actually accessed or misused. However, since this breach involves sensitive personal information, including partial SSN, there could be a risk of identity theft," the letter acknowledges.
The tool through which the breach occurred is only available through the currently disabled Direct Enrollment pathway for agents and brokers, HHS noted in its original Oct. 19 statement. The rest of the HealthCare.gov website continues to function; open enrollment for Obamacare began Nov. 1.
The Nov. 7 notification letter states that HHS is continuing to investigate the breach "and putting additional security measures in place to make sure HealthCare.gov and the marketplace process are safe and all consumer information is protected. Please be assured that all information will be protected during open enrollment."
How Did Hack Happen?
Based on the limited details that CMS has released, "it is difficult to determine how the breach might have happened," former healthcare CIO David Finn, executive vice president at security consultancy CynergisTek, noted when HHS issued its original statement.
"It could be anything from phishing to stolen credentials to a brute force attack," he said. "Agents and brokers should be taking a good look at their own users and sites. And any impacted consumer should be checking credit reports, claims, banks and even medical records."
It's safe to say that HealthCare.gov is a target for hackers, Finn notes. "Healthcare ... is now in the top targeted industries, and there is no indication that this is going to lessen."
Security of the HealthCare.gov site, as well as the related backend systems of the Federal Facilitated Exchanges, has been closely scrutinized, even prior to the rocky launch of Obamacare's first open enrollment season in the fall of 2013. That launch was plagued with technical problems, including individuals encountering great difficulties accessing the site (see Insurance Exchanges: Work in Progress).
In addition, the lack of end-to-end security testing before the launch of HealthCare.gov on Oct. 1, 2013, had been a sore point focused on during several Congressional hearings that followed in the months afterwards.
Then in September 2014, HHS disclosed that that malware had been uploaded on a HealthCare.gov test server in July 2014. HHS officials said at the time that the malware was designed to launch a distributed denial-of-service attacks against other websites when activated. No consumer data was exposed in the incident, officials said.
In response to criticism from privacy advocates and others, HHS in 2015 also made a number of fixes to the HealthCare.gov site to scale back on the release of consumer data to third-party commercial sites (see: Healthcare.gov Makes Privacy Fixes).
HealthCare.gov systems have also been the subject of security reviews by various government watchdog agencies, including the Government Accountability Office.
For instance, in March 2016, GAO issued a report noting that between October 2013 and March 2015, CMS reported 316 security-related incidents affecting HealthCare.gov and its supporting systems (see: Report Spotlights Healthcare.gov Security Weaknesses).
But the study also noted that none of the security incidents reported by CMS showed evidence that an outside attacker had successfully compromised sensitive data, such as personally identifiable information.
Nonetheless, that report noted GAO found weaknesses in systems and connections supporting HealthCare.gov, including the Federal Data Services data hub - a portal for exchanging information between the federal marketplace and CMS's external partners.