The millions of new users flocking to state and federal health exchanges created by the Affordable Care Act “could mean bigger data breaches with bigger lawsuits, fines and financial losses,” worries Experian, a giant in the data privacy business. Could, yes — but how great is the risk?
Fears were worsened last November when a Congressional hearing revealed that an internal memo within the Center for Medicare and Medicaid Services noted that “the [security] threat …is limitless” from undisclosed features of the Obamacare website’s information-handling infrastructure. More troublesome, the memo didn’t make its way to Henry Chao, the center’s deputy chief information officer, an omission that fanned fears of a cover-up. Ignorant of the memo, Chao certified the website’s security as part of its ill-fated October debut. When confronted with the memo, Chao hinted that he might not have certified the website as ready for launch if he’d seen the memo.
Another of the center’s internal memos shows that it gave itself a waiver to open the federal health insurance exchange with “a level of uncertainty … deemed as a high [security] risk.” The center’s chief information security officer approved the waiver, even though three of her colleagues objected in a written statement, saying that the agency’s mitigation steps — including a dedicated security patrol and frequent testing — wouldn’t reduce the risk.
But what is the risk? The state and federal health exchanges themselves aren’t new databases; they don’t store data or ask for personal medical information. They gather data from people signing up for health insurance — income levels, Social Security numbers, and other identifiers — and then electronically verify the information with the relevant federal agency. Once the data has been verified and the person’s health insurance account has been created, the data is expunged from the exchanges’ records.
As part of the federal website’s reinvention, security risks have been tamed, according to the website’s administrators. George Smith, a well-known international consultant on cybersecurity and senior fellow at GlobalSecurity.org, notes that the exchange’s data is handled using the same protocols that other government websites and databases use to ensure security. Scott Borg, CEO of the private, nonprofit U.S. Cyber Consequences Unit, which analyzes and advises on data security, says that health exchange websites are less complicated than most e-commerce sites, which makes them easier to keep secure.
Still, on the Internet, security is measured against the last hack attack, not the next one. To ensure data privacy in the age of Obamacare, Experian suggests that any organization handling individuals’ health care data redouble its security vigilance, train staff to handle data securely, and have detailed emergency plans in place to deal with breaches. But nothing replaces the individual responsibility that each of us has to follow precautions in revealing our medical or personal details to anyone — even, or especially, government agencies.