OPM Database Storing 4 Billion Employee Health Records Needs Security Upgrades

About an hour and a half into a combative House hearing last week on the massive breach of federal personnel and security-clearance files, lawmakers got around to asking officials at the Office of Personnel Management whether the agency also collects federal workers' health data.

No, OPM Director Katherine Archuleta said. The agency only collects information about employees’ selection of insurance providers, she said.

“So it’s not specific medications? It’s not specific conditions? asked Rep. Mick Mulvaney, a South Carolina Republican.

“No,” Archuleta said.

That’s true for now. But OPM is preparing to go live with a database of health claims to aid agency planners in conducting cost analyses that will contain just that type of detailed health information on federal workers. Meanwhile, the OPM Office of the Inspector General, which operates under separate statutory authority from the agency writ large, does, in fact, maintain a massive database of employees’ health information.

The OIG’s “data warehouse” of federal employees’ health and prescription drug claims is used by auditors to detect fraud in the Federal Employees Health Benefits Program. It contains 4 billion records, and is a treasure trove of sensitive data, including personally identifiable information and protected health information, such as diagnoses and conditions.

And the system needs security upgrades, according to a little-noticed OPM budget document from earlier this year. 

To be clear, officials say employee health information was not compromised in the two recent OPM hacks. The OIG’s database is maintained at OPM headquarters -- not the Interior Department shared data center, where hacked personnel files were stored -- and employs different security measures. But the recent breaches, called the worst exposure of government data in history, have led to scrutiny of other data assets maintained by the agency.

In February, the OIG asked for an additional $1 million in funding to be set aside in the 2016 budget to better secure its data warehouse of health claims, according to the agency’s 2016 budget justification.

In seeking additional funding for its systems earlier this year, the OIG specifically cited the “recent breach involving a sensitive OPM system.” That’s a reference to a 2014 intrusion into OPM networks that didn’t lead to the loss of any personally identifiable information and which predates the massive hack of employee personnel records OPM revealed earlier this month.

Following that 2014 breach, the IG met with the Department of Homeland Security and the OPM chief information officer “to discuss needed security updates for OIG systems and data,” according to the 2016 funding justification. “The OIG has implemented strengthened controls, but funding is needed for software applications and infrastructure changes to strengthen the security and protection of the health care claims data warehouse.”

Overall, OPM is seeking a total of about $21 million for agencywide IT security upgrades.

The OIG’s health claims database is used by auditors to spot fraud and conduct audits of carriers in the OPM-managed federal health plan system. Claims are currently stored in the warehouse, which is protected by “multiple layers of computer firewalls,” according to a 2011 “system of records notice,” published in the Federal Register.   

The database contains 4 billion records, according to budget documents, including names, dates of birth, Social Security numbers, specific health procedures performed and diagnoses made.

OPM Prepares to Go Live with Second Health Claims Database

Separately, OPM over the past few years has been building another database of health claims. The “Health Data Claims Warehouse” was authorized in 2010 under the Affordable Care Act to help the agency’s planners better track FEHBP costs.

The system hasn’t yet gone live. It recently underwent a “System Accreditation and Authorization process,” meaning senior agency officials have signed off on the security of the system. This data warehouse will contain the same types of information as the OIG system.

In a November 2014 memo to OPM officials, auditors raised concerns about the development of this separate system.

“It is important to note that developing and maintaining a health claims data warehouse of this magnitude presents its own complex challenges,” including security, the OIG’s memo stated.

“This continues to be a complex project with a variety of operational and security issues that need to be addressed,” the OIG said. “Senior leadership will need to closely monitor this project.

(Image via val lawless/ Shutterstock.com)