The Centers for Medicare and Medicaid Services acknowledged 75,000 people's records were accessed but haven’t disclosed who might be behind it.
Hackers accessed sensitive personal data of more than 75,000 Healthcare.gov customers after one of its systems was breached, according to a Friday statement by the Centers for Medicare and Medicaid Services.
According to the statement, CMS officials detected “anomalous system activity” in the Federally Facilitated Exchanges system—one that health care insurance agents and brokers use to enroll users in Affordable Care Act plans—on Oct. 13 and confirmed the incident three days later.
CMS officials said they are working to identify and help those whose data was compromised while federal law enforcement conducts an investigation into the breach. The statement did not address who might have been behind the hack or what could be done with the compromised data, nor did CMS officials immediately respond to questions Monday from Nextgov.
In the interim, CMS disabled the Direct Enrollment pathway and deactivated agent and broker accounts associated with the anomalous activity, though the agency hopes to have the system online when the sign-up season begins Nov. 1. The Healthcare.gov site and online Marketplace are still available and accessible to the public.
“Our number one priority is the safety and security of the Americans we serve. We will continue to work around the clock to help those potentially impacted and ensure the protection of consumer information,” said CMS Administrator Seema Verma, in a statement. “I want to make clear to the public that HealthCare.gov and the Marketplace Call Center are still available, and open enrollment will not be negatively impacted. We are working to identify the individuals potentially impacted as quickly as possible so that we can notify them and provide resources such as credit protection.”
In a letter Saturday, Sen. Ron Johnson, R-Wis., Chairman of the Senate Committee on Homeland Security and Governmental Affairs, requested Health and Human Services Secretary Alex Azar to provide the committee with information regarding the scope of the breach and any steps the agency is taking to remedy the situation.
“Cyberattacks threaten all sectors of our economy, and this latest breach demonstrates the federal government remains one of the most vulnerable. CMS owes the public answers and better protection of their personal information,” Johnson said.
Health care data is among the most prized datasets for hackers because it “provides the most comprehensive data set available for any individual,” Pravin Kothari, CEO of CipherCloud, said in a statement. Because the records contain so much data about a person, Kothari said they are often used to facilitate identity theft.