Someone is Breaching HealthCare.gov, But It's Not a Hacker

The online Obamacare marketplace has experienced a type of breach common in the private medical sector – but it doesn’t involve hackers. 

Of the 300-some reported security incidents that have impacted HealthCare.gov and supporting machines, there was a single malicious intrusion, according to federal auditors. The other instances of exposure of personal information involved missent snail mail and insecure emails.

Even counting that one hack, there is no evidence in any of the 316 HealthCare.gov cases that an attacker intentionally compromised personal information, a Government Accountability Office audit found. 

About 17 percent of the incidents involved unauthorized access during the evaluation, which began in October 2013 and ended in March 2015. 

The one time a bad guy broke in was by accident, in the summer of 2014, when an intruder installed malware on a server used to test code for HealthCare.gov. The penetrated machine did not hold personal data. The hack was not aimed specifically at the online insurance exchange run by the Centers for Medicare and Medicaid Services. In fact, the malicious program was intended to help launch paralyzing “denial of service attacks” against other websites.  

The majority of security incidents reported "involved such things as electronic probing of CMS systems by potential attackers, which did not lead to compromise of any systems, or the physical or electronic mailing of sensitive information to an incorrect recipient," Gregory Wilshusen, GAO director for information security issues, and Nabajyoti Barkakati, director of the office's Center for Technology and Engineering, said in the report.

When personally identifiable information was leaked, the details were "disclosed because of physical mail being sent to an incorrect recipient or unencrypted PII being transmitted via e-mail to a limited number of individuals," they added. 

A perusal of health-related incidents indexed on DataBreaches.net suggests not a week goes by without someone in government or industry dumping paper medical records in a dumpster, emailing a spreadsheet with patient information in plain text without encryption, or sending patient letters to the wrong patients. 

According to the site's database, the Laborers’ Health & Welfare Trust Fund for Northern California on Feb. 17 discovered a clerical error sent participant tax forms showing medical-related data to others in the plan. 

Also in California, medical documents containing names and Social Security numbers for hundreds of Modern Home Health Care patients were found splayed on a Paradise Hills sidewalk on Feb. 29. A man on the walkway spotted the records -- containing names, addresses, birthdays and Social Security numbers – lying with some other trash.

BJC HealthCare Accountable Care Organization in St. Louis learned on Dec. 30, 2015, an email with personal information on 2,393 patients was transmitted to a participating medical practice without encryption. 

When the HealthCare.gov audit was released Wednesday, GOP lawmakers penned letters to Health and Human Services Department officials requesting further explanation about reported privacy weaknesses.

Republican committee leaders in both chambers asked the Obama administration for a list and description of every security incident involving HealthCare.gov since October 2013. Among other things, the lawmakers want to know how many individuals were affected during each of 41 “privacy incidents,” whether the incident involved personal data, and whether affected people were notified. 

The number of individuals affected in these situations was not fully documented, according to GAO.  In some the cases, the information was not properly secured, but it is not clear from the audit whether any data was exposed to others. 

Separately, the head of the House Science, Space and Technology Committee subpoenaed HHS documents concerning claims that personal information is being stored for all HealthCare.gov account holders, regardless of whether they go through with signing up for coverage. 

Chairman Rep. Lamar Smith, R-Texas, said the committee has learned at least 327 employees have access to the storage database, including more than 100 users with access to personal information. 

"The science committee wants to know how the federal government collects and manages Americans’ personal information," he said in a statement.