A hack of the government’s Affordable Care Act-mandated healthcare exchanges has exposed the files of 75,000 individuals.
According to the Centers for Medicare and Medicaid Services (CMS), its staff detected “anomalous activity” in the Direct Enrollment pathway on Oct. 13 – with a breach declared three days later on Oct. 16. Details as to how the portal was compromised and what specific consumer information was exposed have not been released.
“CMS is in the beginning stages of the assessment of this breach, the agency said in a posting on the incident. “This is an evolving situation and we will continue to provide additional information.”
“While we don’t know exactly what information was exposed in the Healthcare.gov breach, we do know citizens who sign up for healthcare plans include their names, addresses and Social Security numbers,” Ruchika Mishra, director of products and solutions at Balbix, said via email. “If this kind of data was exposed, users could face issues of identity theft and more.”
The Direct Enrollment pathway was first launched in 2013. It allows insurance agents and brokers to help consumers sign up for Obamacare coverage on the national healthcare exchanges, which are officially known as Federally Facilitated Exchanges, or FFE.
CMS characterized the breach as affecting “a small fraction of consumer records present on the FFE,” and said that the agent and broker accounts that were associated with the anomalous activity were deactivated. It also has disabled the Direct Enrollment pathway while it cleans up the compromise and implements additional security measures, but CMS said it expects service to be restored by the end of the week.
Other Affordable Care Act enrollment channels, including HealthCare.gov and the Marketplace Call Center, weren’t affected by the incident and remain operational.
“Our No. 1 priority is the safety and security of the Americans we serve,” said CMS administrator Seema Verma, in a media statement. “We will continue to work around the clock to help those potentially impacted and ensure the protection of consumer information.”
She added, “I want to make clear to the public that HealthCare.gov and the Marketplace Call Center are still available, and open enrollment will not be negatively impacted. We are working to identify the individuals potentially impacted as quickly as possible so that we can notify them and provide resources such as credit protection.”
The targeting of a behind-the-scenes system rather than the consumer Healthcare.gov site itself is par for the course, given that attackers will always target the weakest point-of-entry into networks.
“As so often happens in security breaches, it wasn’t the central consumer-facing site that was breached but an ancillary system used by insurance agents,” Mishra said. “This breach shows once again that no entity, not even the U.S. government, is immune from the dangers posed by hackers.”