A health data breach that impacted the Healthcare.gov portal last month could reportedly have helped hackers steal sensitive personal data like partial SSNs (Social Security Numbers), immigration status, tax information etc.
CMS (Centers for Medicare & Medicaid Services, which is part of the Department of Health and Human Services) had, in October, admitted to a breach that had impacted Healthcare.gov’s Direct Enrollment pathway for agents and brokers. A CMS news release dated October 19, 2018, had stated, “Earlier this week, CMS staff detected anomalous activity in the Federally Facilitated Exchanges, or FFE’s Direct Enrollment pathway for agents and brokers. The Direct Enrollment pathway, first launched in 2013, allows agents and brokers to assist consumers with applications for coverage in the FFE…At this time, we believe that approximately 75,000 individuals’ files were accessed.”
The suspicious activity was detected on October 13, following which a breach was declared. The CMS release had said, “CMS began the initial investigation of anomalous system activity in the Direct Enrollment pathway for agents and brokers on October 13, 2018 and a breach was declared on October 16, 2018. The agent and broker accounts that were associated with the anomalous activity were deactivated, and – out of an abundance of caution – the Direct Enrollment pathway for agents and brokers was disabled.”
After implementing additional security measures, the CMS reactivated the Direct Enrollment pathway on October 26.
HealthCare.gov had recently sent a letter to individuals who could be affected by the breach. The letter informs individuals that the breach could have led to their personal data getting compromised. The data might include names, date of birth, addresses, sex, last four digits of SSN (if SSN was provided on the Health Insurance Marketplace applications), expected income, tax filing status, family relationships, immigration document types and numbers, employer name, health insurance-related data, lots of data relating to insurance coverage etc. It was stated that bank account numbers, credit card numbers and diagnosis or treatment data were not among the data that was accessible to the hackers.
Those impacted by the breach have been offered free identity protection services. The letter reads, “We are continuing to investigate this breach and putting additional security measures in place to make sure HealthCare.gov and the Marketplace process are safe and all consumer information is protected. Please be assured that all information will be protected during Open Enrollment.”
The letter also states, “We are offering free identity theft protection services through ID Experts®, the data breach and recovery services expert, to provide you with MyIDCare™. MyIDCare services include: 12 months of credit and identity monitoring, a $5,000,000 insurance reimbursement policy, and fully managed identity theft recovery services. With this protection, MyIDCare will help you resolve issues if your identity is compromised.”
The letter clarifies that there is uncertainty as to whether the hackers had actually accessed or misused all the information mentioned in it. But since the breach involves sensitive personal data, including partial SSN, there is the risk of identity theft and individuals need to take protective actions to secure themselves.
It’s to be noted that Healthcare.gov had been targeted frequently by cybercriminals; the website was reportedly targeted at least 316 times between October 2013 and March 2015. Of these 41 incidents reportedly involved personally identifiable information. A 2016 report from the Government Accountability Office (GAO) had pointed out many security issues with the website.
