Skip to primary navigation Skip to main content

Obamacare Exchange Opens Door to Fraud and Identity Theft

September 24, 2013

“Fraudsters are poised to take advantage of widespread confusion over the Affordable Care Act – also known as Obamacare – to steal Americans’ credit cards, Social Security numbers and other personal information.”
-- McClatchy Newspapers, 7/21/2013


The Obamacare Exchange Monster

data hub diagram (Citizen's Council for Health Freedom)
Graphic source: Citizen's Council for Health Freedom

The insurance exchanges created by the Democrats’ health care law are scheduled to open in just one week. So far, implementation has been marked by a pattern of delays, missed deadlines, broken promises, special deals, and exclusive waivers. This is due to the Administration’s countless missteps as they struggle – using chicken wire and duct tape – to make the President’s signature law work.

When people use an exchange to apply for government mandated health insurance, they must provide a large amount of sensitive personal data, such as Social Security numbers, household income, and other tax return information. This private information is then entered into a gigantic Federal Data Services Hub. The Data Hub allows state and federal agencies – including the IRS, Social Security Administration, and the Department of Homeland Security – to access the private information from the place it is originally stored. Governments will use the merged data to make income determinations for Medicaid coverage, approve exchange insurance eligibility, and verify how much of a subsidy people receive.

Administration Is Legally Required to Provide Privacy Safeguards

Responding to the increased collection and storage of personal information in government computer databases, Congress enacted the Privacy Act of 1974 to regulate how Washington collects, maintains, uses, and distributes personally identifiable information. Additionally, the Federal Information Security Management Act (FISMA) of 2002 mandates that federal agencies implement specific technology system controls to guarantee the confidentiality of private data.

The Centers for Medicare and Medicaid Services (CMS) is bound by law to use National Institute of Standards and Technology guidelines to certify the Data Hub is safe and secure before the Obamacare exchanges can legally operate. The Obama Administration appears to be nowhere near ready to meet this standard. So it has gone looking for a loophole, reportedly claiming that it is covered by an exception to the Privacy Act. This is a tough sell.

When the Privacy Act became law, Congress never anticipated how the Internet would change how easy it is to collect and store personal health and financial information. In fact, FISMA doesn’t require CMS to certify that the Data Hub is “impregnable,” only that -- despite identified security risks -- the Hub can operate. Those two concepts are miles apart.

Exchange Security Months Behind Schedule, Warnings Ignored

The Data Hub information technology security system has yet to be independently tested and verified secure. In fact, last month the HHS Inspector General issued a report warning that the Obama Administration missed multiple deadlines necessary to test the Data Hub’s operational capability, identify vulnerabilities, and remediate security risks. Since then, Congress has repeatedly cautioned the Administration not to launch the exchanges until an independent, third-party audit confirms the Data Hub is secure.

CMS has to take multiple steps to set up security for the data hub. It had set deadlines for each of those steps to stay on schedule, but the IG found that they had all slipped. CMS initially said one security step would take 51 days, but later told the IG it could now somehow handle it in just 10.   

After the IG report surfaced, the Obama Administration claimed that the Data Hub “is built and ready for operation, and we have completed security testing and certification to operate.” But the Administration “would not disclose some specifics … for fear of revealing too much to potential attackers – including those who may be ideologically opposed to the health-care law.”

President Obama is saying trust us. According to the IG, however, there is no independent entity with sufficient time to verify the Data Hub’s security or offer specific recommendations guaranteeing financial data privacy. As the IG report says: “[a]ccording to CMS’s current timeline, the security authorization decision … is expected on September 30, 2013 … If there are additional delays in completing the security assessment and testing, the CMS CIO may have limited information on the security risks and controls when granting the security authorization of the Hub.”

So the Administration’s own watchdog did not believe CMS would (1) have a final security authorization decision, delivered from an independent testing organization, until approximately 10 days before the Hub is expected to go live and (2) be able to execute a final Data Hub security decision until one day before the exchanges open.

No one really knows if the Data Hub’s security system can stop personal financial data from falling into the wrong hands. The Obama Administration simply wants Congress, and the American people, to accept news reports about its internal testing.

“The Most Widespread Violation of the Privacy Act in Our History”

Michael Astrue, until recently the Commissioner of the Social Security Administration, has been highly critical of Obamacare’s lack of privacy safeguards. He has written that a functional and legally compliant federal exchange will almost certainly not be ready on October 1. He argues that “[t]he reasons for failure are not short timelines (Congress gave HHS more than three years), political interference (Congress has not focused on ACA systems), or complexity (states have built well-designed exchanges). The reason is plain old incompetence and arrogance.”

Astrue’s criticism grows harsher saying that CMS “threw together an overly simplistic system without adequate privacy safeguards. The system’s lack of any substantial verification of the user would leave members of the public open to identity theft, lost periods of health insurance coverage, and exposure of address for victims of domestic abuse and others. CMS then tried to deflect attention from its shortcomings by falsely asserting that it had done so to satisfy White House directives about making electronic services user-friendly. In reality, the beta version jammed through a few months ago will, unless delayed and fixed, inflict on the public the most widespread violation of the Privacy Act in our history.”

Questionable Obamacare Exchange Contractor

Augmenting these concerns, CMS signed a $1.2 billion contract with a company to sort and evaluate exchange applications containing personal financial data. According to the New York Times, this company “has little experience with the Department of Health and Human Services or the insurance marketplaces, known as exchanges, where individuals and small businesses are supposed to be able to shop for insurance.” Last year, congressional hearings uncovered that the same company exposed more than 120,000 federal Thrift Savings Plan enrollees to identity theft when personal financial data – including Social Security numbers – were stolen from a compromised computer. Not exactly a track record that inspires confidence.

Problems in the States

People who work for, or are associated with, the exchanges are also vulnerable to data breaches. This week, it was reported that an employee of the Minnesota exchange, MNsure, sent an unencrypted email to a third party containing the names, license numbers, Social Security numbers, and business addresses of more than 2,400 insurance agents. The person who inadvertently received the data file said: “[w]hat if this had fallen into the wrong hands? It’s scary. If this is happening now, then how can clients of MNsure be confident this data is safe?”

These revelations placed the White House on the defensive, and Obama Administration officials now say they plan to coordinate a “rapid response mechanism” to deal with security breaches. Rather than trying to catch criminals after they get hold of people’s personal information, the Administration should join Senator Hatch and 31 other Republican Senators who have introduced legislation mandating that the Government Accountability Office, in consultation with the HHS Inspector General, attest the Data Hub’s security features are in place before the exchanges are allowed to open.

Here Come the Obamacare “Con Artists”

On August 15, CMS announced $67 million in Obamacare Navigator grants will go to 105 different groups, including community groups, and Planned Parenthood affiliates. The Administration originally said navigators would need 30 hours of training and have to pass a certification test. Unable to guarantee training could be completed before the exchanges open, the Administration slashed that requirement by one-third – to only 20 hours.

Experts predict the health care law will trigger increased identity theft and scams as millions of Americans sign up for health coverage. People will give their personal health and financial information to navigators – many of whom won’t have gone through a criminal background check. In a letter to HHS Secretary Sebelius, 13 state attorneys general expressed concern that the Administration has failed to adequately protect consumer privacy by not appropriately training navigators to protect private information.

Ongoing House committee investigations have found that the navigator and assister programs lack basic safeguards protecting the American people against fraud and abuse. They reported that HHS will not even have a list of names of certified navigators, so Americans may not know if the person taking their application is a real navigator or a con artist.