Obamacare: Two Bills Set for Vote in Congress as Concerns Grow Over Website Security

The future of health care is one of the more pressing questions for the United States as Obamacare continues its implementation into the new year. With a disastrous rollout last fall that included a defective website and millions of policy cancellations for holders of private market insurance policies, the President and democrats in both chambers of congress can ill-afford a new slate of problems with a law they are solely responsible for in every way possible. Unfortunately, there is another aspect of Obamacare that is already causing havoc for millions of Americans and the problem is one that has the potential to impact millions more if not addressed responsibly.  This problem is the real threat to the security of private information of individuals who use the healthcare.gov website to attempt to sign up for coverage under the federal health insurance exchange.

Concerns about how secure the Obamacare website have been voiced long-before the October 2013 rollout of healthcare.gov and there were even some early signs that the information of users may not be totally protected in the federal exchange.  Henry Chao, the Deputy Director and Deputy Chief Information Officer of Centers for Medicare & Medicaid Services (CMS), apparently was kept in the dark even though he was the administration’s point-man on the security of the website. A September memo from CMS the outlined a frightening picture of the security issues that the website faced. Avik Roy ,in Forbes, detailed the stunning revelations about the risks (and Chao being left out of the loop) just a little more than a month after the botched rollout:

In a September 3 memo from Tony Trenkle—the memo that Chao never received—CMS officials disclosed that “the threat and risk potential is limitless” from a redacted security issue, and that “non-compliance with…CMS Minimum Security Requirements (CMSR) without continuous monitoring presents an unacceptable risk.”

Elsewhere, the memo describes “the possibility that the [Obamacare exchange] security controls are ineffective. Ineffective controls do not appropriately protect the confidentiality, integrity, and availability of data and present a risk to the CMS enterprise.” Other problems “can lead to controls not being appropriately implemented and [to] a lack of accountability.”

A number of these issues were considered “open high findings”—the most serious category of security concerns. In Chao’s testimony to the Oversight Committee, Chao stated that he only recommended that the exchange launch go forward because there were no high findings of security issues.

The possibility of data being compromised in healthcare.gov is extremely serious and something that congress will be attempting to address in two separate pieces of legislation.  H.R. 3811, the Health Exchange Security and Transparency Act of 2014 sponsored by Rep. Joe Pitts (R-Penn.), requires the administration to notify individuals if personal information has been stolen or illegally breached through Obamacare exchanges.  H.R. 3362, the Exchange Information Disclosure Act, introduced by Lee Terry (R-Neb.), requires the Department of Health and Human Services (HHS) to provide weekly reports on the status of healthcare.gov. to congress and the public. According to the House Energy & Commerce Committee, “these reports will provide key metrics regarding HealthCare.gov, including unique website visits, accounts created, qualified health plan selection, and Medicaid enrollment.”

The good news that there are measures being taken legislatively to try and deal with the lax security of the Obamacare website and the overall security of the personal information of those who may be using any of the Obamacare exchanges. Unfortunately, the bad news is that there have already been problems that have resulted in the compromised security of the private information of individuals:

• September 2013: In Minnesota an employee for the state exchange, MNsure, sent an unencrypted file to the wrong person; leaving 2,400 people’s private information at risk.
• October 2013: Prior to a HHS’s fix in late October, anyone could easily reset a user’s Healthcare.gov password without the user’s knowledge and possibly hijack the account, leaving personal information at risk.
• November 2013: David Kennedy, CEO of information security firm TrustedSEC, testified before a congressional committee about the lack of security in the website saying “Hackers are definitely after it, and if I had to guess, based on what I can see… I would say the website is either hacked already or will be soon.”

TPA signed a coalition letter supporting both measures, while President Obama released a statement noting that the administration does not support the Exchange Information Disclosure Act “because it would require unfunded, unprecedented, and unnecessary reporting requirements of Health Insurance Marketplaces that exceed those of other public and private programs.” That being said, both bills are expected to pass with bipartisan support and while the Senate may ultimately decide not take further action, the security of the private information of individuals who are using the health care exchanges remains a serious issue that must be dealt with, so as to ensure the integrity and privacy of millions of citizens nationwide.