PHI of 94,000 People Exposed Due to HealthCare.gov Data Breach

The Centers for Medicare & Medicaid Services (CMS) reported last month that the HealthCare.gov website was hacked, potentially resulting in the sensitive information of approximately 75,000 people being exposed. An update on the breach has been issued which confirmed that even more people have been affected by the breach than was previously thought. 93,689 individuals are now believed to have had sensitive information exposed.

The first breach report did not explain the nature of the breach nor the types of data potentially compromised. In the first report, the CMS explained that suspicious activity had been identified on the website on October 13. A breach was confirmed on October 16. Steps were promptly taken to protect the website and stop the hackers from accessing or downloading data.

The CMS began notifying breach victims on November 7. The breach notices explain that the ‘suspicious activity’ was an unnatural number of searches using agent and broker accounts. thoe searches returned data of individuals specified in Marketplace applications.

The CMS immediately deactivated the compromised agent and broker accounts along with the Direct Enrollment pathway for brokers and agents to secure the system. On October 26, the Direct Enrollment pathway was restored.

The CMS has confirmed that the hackers potentially accessed or stole the following information:

  • Name
  • Birth date
  • Gender
  • Address
  • Last four digits of Social Security number (SSN) – if supplied with applications
  • Expected revenue
  • Tax filing status
  • Tax credit amounts
  • Family relationships
  • Employer name(s)
  • Citizen or immigrant status
  • Immigration document types and numbers
  • Pregnancy status
  • Health insurance details, if any
  • Information given by other federal agencies or data sources to validate application details
  • If the Marketplace requested the applicant supply documents or explanations
  • Result of application
  • If an applicant signed up, the name of the insurance plan, premium, and coverage date range

The CMS did not confirm if the hackers stole any personal data; however as a precaution, the CMS has offered breach victims complimentary identity theft protection services. The investigation is still ongoing and further security measures will be implemented to improve site security.

The HealthCare.gov website has had a hard time ever since its introduction. A test server was uploaded with malware in July 2014, a couple of months after the launch of the website. Audits conducted by government watchdog agencies, such as the Government Accountability Office (GAO), identified a number of vulnerabilities and affirmed that the website and its network systems had 316 security incidents from October 2013 to March 2015.

While no incident resulted in the compromise of sensitive data, GAO identified some weaknesses in the technical controls utilized to protect information, the occurrence of patching, encryption, auditing, boundary protections and identification, monitoring and authentication that put data in jeopardy. It is not known how the hackers were able to access the login credentials to the accounts and if any of the GAO-identified weaknesses were taken advantage of.