The breach of consumer data at Target has brought the issue of data security in focus. Yesterday a senator called for more protection and accountability for consumers and retailers. The following story from Watchdog.org tells us that government does not want to hold itself to the standards it wants the private sector to observe. There has been legislation proposed. Rep. Diane Black [R-TN6] has introduced H.R. 3731: Federal Exchange Data Breach Notification Act of 2013, whose title is “To require an Exchange established under the Patient Protection and Affordable Care Act to notify individuals in the case that personal information of such individuals is known to have been acquired or accessed as a result of a breach of the security of any system maintained by the Exchange.”
Feds not required to report security breaches of Obamacare exchange website
By Eric Boehm
HACKED OFF: Hackers or careless bureaucrats could cause private information to be spilled across the Internet. But the federal government, unlike most states, don’t have to tell users when they have been compromised.
By Eric Boehm | Watchdog.org
Americans who buy health insurance through the federal Obamacare exchange website could have their personal information stolen by hackers and never even know it.
Most of the state-run health exchange websites will be covered by state laws that require notification when government databases are breached by hackers. But there is no law requiring notification when databases run by the federal government are breached, and even though the Department of Health and Human Services was asked to include a notification provision in the rules being drawn up for the new federal exchange, it declined to do so.
Other protections for individuals’ privacy, like the Health Insurance Portability and Accountability Act, or HIPAA, do not apply to the government-run exchange, only to health providers and insurance companies operating within the exchange.
Privacy advocates and cyber-security experts have had concerns about the lack of a federal notification law for years and hope the scrutiny of the Obamacare exchange will finally bringchange.
“The notification requirement is a very important part of overall security,” saidDeven McGraw, director of the Health Privacy Project at the Center for Democracy and Technology. “People should be told when their information is at-risk.”
The lack of a notification requirement is particularly bad for the health insurance exchange website because of all the questions surrounding the site’s security. Poor security, coupled with the website’s high-profile problems, could make it a target for hackers either seeking to steal identities or embarrass the government.
Unfortunately, security is often an afterthought for the government, said David Kennedy, CEO of TrustedSEC, an Ohio-based cyber-security firm. Kennedy has testified before Congress about security threats in the Obamacare exchange and the need for notification laws.
“All we need is something that says if the federal government is breached, all we have to do is alert the public,” he told Watchdog.org. “Healthcare.gov is just one website of hundreds that have had these issues going back through the years.”
Together it creates a possible nightmare scenario. Without strong security on the front end, the hastily built and not fully operational website could become a treasure trove for hackers looking to steal identities. But without any laws requiring that those victims be notified by the federal government users of the Federal health exchange will be in the dark about any potential security breaches of their private data.
When the federal Obamacare exchange was being developed by HHS prior to its troubled launch on Oct. 1, experts told the department that it should include a data-breach provision in its policies for the website even though one was not required under federal law.
The department flatly declined to do so.
The final rules for the exchanges were approved on March 27, 2012, meeting of HHS officials, according to the Federal Register.
At that meeting, two commenters asked HHS to ensure the exchanges would promptly notify affected enrollees in the event of a data breach or unauthorized access to the exchange’s databases. One suggested that a full investigation be launched each time such a breach occurred, with the goal of holding hackers legally and financially accountable for breaking into the website.
The department’s response: “We do not plan to include the specific notification procedures in the final rule. Consistent with this approach, we do not include specific policies for investigation of data breaches in this final rule.”
Since there is no federal notification requirement, breaches of any and all federal databases can occur without the public ever being informed.
The only way to find out a hack has occurred is when the government decides to disclose it — as several federal law enforcement agencies did last month in response to attacks from Anonymous, a group of super-hackers who threatened to take down the FBI website and others.
But hacks that happen behind the scenes —potentially stealing everything from Social Security numbers to Department of Homeland Security watch lists — never have to be reported.
“That’s alarming because there could be a number of federal databases that are compromised already and we don’t know about it,” Kennedy said. “The exchange is part of a bigger problem.”
Federal privacy protections contained in HIPAA also do not apply to the databases created by the federal exchange website, McGraw said, even though health insurers doing business through the exchange must be HIPAA compliant.
In other words, the health plan itself is covered by HIPAA and any breaches of security that affect a consumer who has purchased a specific plan would have to be reported. But the process of choosing and purchasing a plan through the federal exchange — along with any information entered into the federal exchange as part of that process — is not subject to HIPAA protections.
“The problem with the exchanges is that they are such new entities, and they are so unique that existing laws don’t really cover them,” McGraw said.
But 48 states have laws on the books requiring that they give notification to individuals who may have had personal information stolen or leaked from a government database. Many states require that government agencies and departments alert the state attorney general so investigations can be launched.
In states that opted to run their own health insurance exchanges, those laws generally cover security breaches of the exchanges, McGraw said, though it depends on the specific wording of each state law.
Those state laws are how data breaches of several state-level health insurance exchange websites have come to light.
In September, Watchdog.org reported on a data breech of the Minnesota health exchange — known as “MNsure” — that potentially affected as many as 2,400 people.
In Florida, concerns about data breaches of the state-run exchange website prompted Gov. Rick Scott to send a letter to Congress saying Floridians would not exchange privacy for insurance.
On the federal exchange, such breaches are possible, maybe even likely, since the site was launched without comprehensive testing of the security controls for the system.
A Sept. 27 memo to Medicare chief Marylin Tavernner said insufficient testing of the website before the Oct. 1 launch “exposed a level of uncertainty that can be deemed a high risk,” the Associated Press reported in October.
Even though the federal government does not have to report any breaches of security, at least a few already have occurred.
The most high-profile case so far is that of Thomas Dougall, a South Carolina lawyer who had his personal information accidentally leaked to another person after using the Obamacare exchange last month.
“We logged on and compared some prices,” Dougall later told Fox News’ Greta Van Susteren. “We came home last Friday night to have a young man from a completely different state calling to tell me that when he logged on … he got all my personal information in exchange.”
Dougall only found out about that breach of security because the recipient was kind enough to give him a call. Without a requirement that the exchanges report such problems — whether the result of nefarious hackers or glitches in the programming — it is impossible to tell how many other Americans have had their private information released by the federal exchange.
Kennedy said he would not recommend that anyone use the federal exchange until it is more secure and until breaches of security are reported.
“I would say think twice about it, at least until we get more details,” he said.
Kennedy says he supports universal health care and his criticisms of the website are not rooted in political motivations. But the former U.S. Marine whose firm provides computer security to several Fortune 100 companies says there have been “zero changes” to the security of the health insurance exchange website in the run-up to the much-touted Dec. 1 re-launch.
Congress has debated a federal notification law in each of the past three years, but one has never been passed.
In July, during a hearing of the House Committee on Energy and Commerce, lawmakers heard testimony from a variety of experts who explained the need for a federal breach notification requirement.
David Thaw, a law professor at the University of Connecticut who specializes in cyber-security and the legal framework around it, said data breach notification laws, combined with comprehensive data security, are an essential part of protecting consumers and businesses.
“I analogize the effects of breach notification alone to locking the bank or vault door while leaving a back window wide open,” he said.
With the federal health insurance exchange, there are questions about whether the vault door has been adequately locked.
But there is no doubt that the back window is still wide open.
Boehm is a reporter for Watchdog.org and can be reached at EBoehm@Watchdog.org. Follow him on Twitter @EricBoehm87
