Americans who buy health insurance through the federal Obamacare exchange website could have their personal information stolen by hackers and never even know it.
Most of the state-run health exchange websites will be covered by state laws that require notification when government databases are breached by hackers. But there is no law requiring notification when databases run by the federal government are breached, and even though the Department of Health and Human Services was asked to include a notification provision in the rules being drawn up for the new federal exchange, it declined to do so.
Other protections for individuals’ privacy, like the Health Insurance Portability and Accountability Act, or HIPAA, do not apply to the government-run exchange, only to health providers and insurance companies operating within the exchange.
Privacy advocates and cyber-security experts have had concerns about the lack of a federal notification law for years and hope the scrutiny of the Obamacare exchange will finally bring change.
“The notification requirement is a very important part of overall security,” said Deven McGraw, director of the Health Privacy Project at the Center for Democracy and Technology. “People should be told when their information is at-risk.”
The lack of a notification requirement is particularly bad for the health insurance exchange website because of all the questions surrounding the site’s security. Poor security, coupled with the website’s high-profile problems, could make it a target for hackers either seeking to steal identities or embarrass the government.
Unfortunately, security is often an afterthought for the government, said David Kennedy, CEO of TrustedSEC, an Ohio-based cyber-security firm. Kennedy has testified before Congress about security threats in the Obamacare exchange and the need for notification laws.
“All we need is something that says if the federal government is breached, all we have to do is alert the public,” he told Watchdog.org. “Healthcare.gov is just one website of hundreds that have had these issues going back through the years.”
Together it creates a possible nightmare scenario. Without strong security on the front end, the hastily built and not fully operational website could become a treasure trove for hackers looking to steal identities. But without any laws requiring that those victims be notified by the federal government users of the Federal health exchange will be in the dark about any potential security breaches of their private data.
When the federal Obamacare exchange was being developed by HHS prior to its troubled launch on Oct. 1, experts told the department that it should include a data-breach provision in its policies for the website even though one was not required under federal law.
The department flatly declined to do so.
The final rules for the exchanges were approved on March 27, 2012, meeting of HHS officials, according to the Federal Register.
At that meeting, two commenters asked HHS to ensure the exchanges would promptly notify affected enrollees in the event of a data breach or unauthorized access to the exchange’s databases. One suggested that a full investigation be launched each time such a breach occurred, with the goal of holding hackers legally and financially accountable for breaking into the website.
The department’s response: “We do not plan to include the specific notification procedures in the final rule. Consistent with this approach, we do not include specific policies for investigation of data breaches in this final rule.”
Since there is no federal notification requirement, breaches of any and all federal databases can occur without the public ever being informed.
Published with permission from Watchdog.org.
Boehm is a reporter for Watchdog.org and can be reached atEBoehm@Watchdog.org. Follow him on Twitter @EricBoehm87