Obamacare Exchange Opens Door to Identity Theft

In just 12 days, Obamacare’s health insurance exchanges open for enrollment. When people use an exchange to apply for health insurance, they will have to provide sensitive personal data – such as Social Security numbers, household income, and other tax return information – which is then entered into a Federal Data Services Hub.

Unfortunately, recent news has called into question how good the Data Hub, and other parts of the Obamacare system, will be at protecting this private information. The White House is on the defensive, and Obama Administration officials now say they plan to coordinate a “rapid response mechanism” to deal with security breaches. Rather than trying to catch criminals after they get hold of people’s personal information, the Administration should join Senator Hatch and 26 other Republican Senators who’ve introduced legislation mandating that the Government Accountability Office, in consultation with the HHS Inspector General, attest the Data Hub’s security features are in place before the exchanges are allowed to open.

The warnings began when news surfaced that the Data Hub’s information technology security system to protect Americans’ private financial data has yet to be independently tested and verified. Last month the HHS Inspector General issued a startling report that signaled the Administration had missed multiple deadlines necessary to test the Data Hub’s operational capability, identify vulnerabilities, and remediate security risks.

After the IG report surfaced, the Obama Administration claimed, implausibly, that the Data Hub “is built and ready for operation, and we have completed security testing and certification to operate.” The Administration also reportedly said it “would not disclose some specifics … for fear of revealing too much to potential attackers – including those who may be ideologically opposed to the health-care law.” However, a 2002 federal law outlining information security standards may only require the agency to certify that the Data Hub can operate, even if the Administration has identified security risks. That’s a loophole big enough to let identity thieves drive a truck through.

President Obama is again saying trust us. The Inspector General doesn’t seem to be buying it, noting, “We could not assess planned testing or whether vulnerabilities identified by the testing would be mitigated because the [security control assessment] test plan had not been provided and the SCA had not been completed at the time of our review... According to CMS’s current timeline, the security authorization decision … is expected on September 30, 2013.” Finally, the IG warns: “If there are additional delays in completing the security assessment and testing, the CMS CIO may have limited information on the security risks and controls when granting the security authorization of the Hub.”

So no one really knows if the Data Hub’s security system will be able to stop private financial data from falling into the wrong hands. In addition, CMS signed a $1.2 billion contract with a British company to sort and evaluate exchange applications containing personal financial data. According to the New York Times, this company “has little experience with the Department of Health and Human Services or the insurance marketplaces.” Last year, congressional hearings uncovered that the same company exposed more than 120,000 federal Thrift Savings Plan enrollees to identity theft when personal financial data – including Social Security numbers – were stolen from a compromised computer. Not exactly a track record that inspires confidence.

People who work for, or are associated with, the exchanges are also vulnerable to data breaches. This week, the Minneapolis Star Tribune confirmed that an employee of the state run exchange, MNsure, sent an unencrypted email to a third party containing the names, license numbers, Social Security numbers, and business addresses of more than 2,400 insurance agents. The person who inadvertently received the data file, and reportedly deleted it, said: “[w]hat if this had fallen into the wrong hands? It’s scary. If this is happening now, then how can clients of MNsure be confident this data is safe?”

That’s the big question The Obama Administration has yet to answer.

Health Care Headlines

New York Times: “U.S. Warns of Frauds Tied to Health Care Law” The White House warned consumers on Wednesday to beware of possible fraud by con artists taking advantage of the new insurance marketplaces being set up under President Obama’s health care law.

Weekly Standard: “Obamacare Employee Accidentally Sends Out 2,400 Social Security Numbers” A sloppy mistake by an Obamacare employee hasn’t exactly inspired confidence that Americans’ private information will be closely guarded by Obamacare’s powers-that-be.

Health Affairs: “National Health Expenditure Projections, 2012-2022: Slow Growth Until Coverage Expands And Economy Improves” Health spending growth is expected to remain slow through 2013, but improving economic conditions, coverage expansions, and the aging of the population will drive faster projected growth in health spending in 2014 and beyond.

USA Today: “Health Insurers Urge Renewals Ahead of New Law” Aetna is urging its customers to renew their health insurance policies early “so you won't have to worry about how the 2014 changes affect you.” Florida insurer AvMed says early renewal will “reduce rate uncertainty and possible disruption” that could occur after the Affordable Care Act takes effect.

National Review: Opinion: “Sorry, Mr. President, There Is ‘Serious Evidence’ Obamacare Is Bad for Economic Growth” President Obama’s recent speech blended two messages many in Congress will find contradictory: Pass a budget that’s good for economic growth, and stop opposing my health-care law.

Wall Street Journal: “Walgreen to Give Workers Payments to Buy Health Plans” Rising health-care costs and a climate of change brought about by the new federal health law are prompting American corporations to revisit the pact they've long had with employees over medical benefits.