Data insecurity in Obamacare insurance exchanges (US)

click to enlargeThe warning that should appear as the main page of 50 state health exchanges.

Subsumed under the ‘government shutdown’ (affecting in reality a distinct minority of Federal government employees) is the significant concern that the state-based online exchanges now selling individual insurance, effective 1 Jan 2014, much trumpeted under the Affordable Care Act and baked into it two years ago, already present significant vulnerabilities in securing the vital data of millions: Social Security number, date of birth, addresses, tax and earnings information. These state-based exchanges are also dependent on information from a Federal data ‘Hub’ which “acts as a conduit for exchanges to access the data from where they are originally stored.” (HHS Office of Inspector General report August 2013, page 2) If improperly secured, this opens up other Federal agencies to further upstream identity theft mayhem.

Already information is in the hands of thousands of call center staff and so-called ‘navigators’ who may or may not have gone through security verifications. Insurance customer information has already leaked outside of exchanges (see below).

Technical problems such as freezing, hanging, error messages mean system, database, broken code and server problems–signs of weak points (ask your favorite programmer). Weak points mean open windows for hackers and data thieves to crawl into–and profit from.

We at TTA have been following healthcare-related data breaches and  medical identity theft issues for at least two years, with our latest two months ago here on the exploding black market.

When medical records’ black market value is estimated at an average of $50 per record–94 percent of health care organizations have had at least one breach in the past two years–and 2 million Americans were medical identity theft victims in 2011–it’s one unpleasant ‘pointer to the future.’

This Editor will let the latest mass media coverage and a survey speak for themselves on the possibility of the insurance exchanges opening a new wave of breaches; our readers–particularly those in the US–can decide if she is Cassandra or Chicken Little:

  •  “Minnesota insurance broker Jim Koester was looking for information about assisting with Obamacare implementation; instead, what landed in his inbox last month was a document filled with the names, Social Security numbers and other pieces of personal information belonging to his fellow Minnesotans. In one of the first breaches of the new Obamacare online marketplaces, an employee of the Minnesota marketplace, called MNsure, accidentally emailed Koester a document containing personally identifying information for more than 2,400 insurance agents, the Minnesota Star Tribune reported. MNsure was able to quickly undo the damage because Koester cooperated with them, but the incident left him unnerved. CBS News, 2 October  While this appears to be an isolated incident, it can only feed fears that sensitive information all too easily can go astray.
  • “A provision in ObamaCare requiring medical providers to switch from paper patient charts to electronic records is intended to reduce costs and improve care. But privacy advocates fear the transition is too fast for security measures to keep pace. “The thing I worry about is not that we are doing it, but that we’re doing it without the right safeguards,” said Lee Tien, a senior staff attorney with the Electronic Frontier Foundation. “We have been giving (medical providers) incentives to move into the electronic-health-records era. But we haven’t been giving them enough guidance on how they’re supposed to do it.” This opinion is reinforced by experts from McGladrey (consulting) and Unisys. FoxNews, 2 October
  • The “abnormally high traffic” that crippled New York’s ObamaCare Web site for two days may have resulted from a malicious attack by hackers, computer-security experts said Wednesday.
    The NY State Department of Health site recorded an astounding 10 million visits after opening for business Tuesday — although there are only about 1.1 million state residents without health insurance and just 330,000 are expected to buy ObamaCare for next year. By comparison, the federal government’s heavily promoted HealthCare.gov site — a portal to the sites for all 50 states, the District of Columbia and America’s territories and commonwealths — drew just 4.7 million visitors the first day.” Late Tuesday, NY State of Health Executive Director Donna Frescatore said technicians were “looking into the cause of this abnormally high traffic.” Darien Kindlund, manager of threat intelligence for the FireEye network-security company, said “the sheer volume” of visits to New York’s site pointed to a possible “distributed denial of service,” or DDoS attack, in which virus-infected computers bombard a site with traffic. NYPost, 3 October
  • In Maryland, “Technical problems continued to frustrate people attempting to access the new state health insurance exchange on Friday. The issues with marylandhealthconnection.gov, the online exchange set up under national health reform, prompted some analysts to suggest that the system’s software and servers aren’t robust enough. “They seem to be building this system on the go,” said Robert Laszewski, a Washington-based insurance industry consultant. “It was not adequately tested, and it was not ready for prime time. That is perfectly clear.” Baltimore Sun, 4 October
  • South Florida consumers reported a second consecutive day of technical problems on Wednesday that locked them out of the online health insurance exchange on HealthCare.gov that is key to the Affordable Care Act. Wednesday marked day two of a six-month open enrollment period, during which eligible low- and middle-income consumers can sign up for subsidized health insurance through the federally run website. But many who tried to take a look at the health plans were once again unable to get past the first step: creating an account necessary to verify subsidy eligibility, shop for plans and enroll for coverage.” Miami (Florida) Herald, 2 October
  • But Health and Human Services (HHS) is on the case. They spent this weekend taking down HealthCare.gov for several hours each night in order to fix and upgrade. This may continue. Unusual in that this breakdown has happened quite so soon. Remember that preparations supposedly started two years ago. NYPost, 5 October
  • Fixing and upgrading might be putting lipstick on a hog. This article in FierceHealthIT recaps the critique by the Washington Post’s digital products and strategy heads. The finest minds in government have brought forth an overly complex, slow loading and confusing website.

Then there is vox populi. A survey of just under 1,000 US residents taken by an organization called HealthPocket indicates even more popular insecurity, with a majority believing that the information will be inappropriately shared with other government agencies and not safe from misuse. What is also striking is the extent to which people are unaware how much personal information was required in their application!

click to enlarge

High Public Concern Over Privacy and Hacking on Obamacare Exchanges

Couldn’t someone at HHS have anticipated these problems–because there will be more?

Categories: Latest News, Opinion, and Soapbox.

Comments

    • Donna Cusano

      One of the reasons why I chose mainstream media (oft abbreviated as MSM here in the US) to cite in this article, except for FierceHealthIT and the interesting HealthPocket survey, was precisely this. I also chose from a broad spectrum so neither left or right. If you see my updates for today, the news is worse, not better–and scathing. My point is that Americans may very well be paying for a lot more than insurance–with their credit and good name–if this is not fixed, and soon.

      I’ve expressed my own opinion before that I am a firm believer in individuals purchasing their own health policies from anywhere in the country, as long as a state certifies the insurance company as being on a sound basis. You could also purchase through associations, ‘mutuals’ or co-ops–just like one buys home, auto, life, liability or business insurance–as much or as little as needed, or not at all (no car=no auto insurance). Unfortunately the policies through the ACA are like buying a Christmas tree with all the ornaments and tinsel–even if you don’t want the Jolly Santa and hate icicles–with a heaping helping of personal risk.

Leave a Reply

Your email address will not be published. Required fields are marked *