HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

CMS Blue Button 2.0 Coding Bug Exposed PHI of 10,000 Medicare Beneficiaries

The Centers for Medicare and Medicaid Services (CMS) has discovered a bug in its Blue Button 2.0 API exposed the protected health information of around 10,000 Medicare beneficiaries. Access to the Blue Button API has been temporarily suspended while the CMS completes a comprehensive code review. The CMS has not produced a timeline for when the Blue Button 2.0 service will be resumed.

On December 4, 2019, the CMS was alerted to a data anomaly with the Blue Button API by a third-party application partner. The CMS confirmed the data anomaly and immediately suspended access to the production environment while the matter was investigated.

The CMS determined the anomaly was due to a coding bug. That bug potentially allowed data to be shared with incorrect Blue Button 2.0 applications and the wrong beneficiaries. The CMS determined 30 applications have been impacted by the bug.

The Blue Button platform is used by Medicare beneficiaries to authorize third-party applications, services, and research programs to access their claims data. A CMS identity management system verifies user credentials through a randomly generated unique user ID, which ensures the correct beneficiary claims data is shared with the correct third-party applications.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The CMS discovered a coding bug was causing Blue Button 2.0 to truncate a 128-bit user ID to a 96-bit user ID.  A 96-bit user ID is not sufficiently random and, as a result, the same truncated user ID was assigned to different beneficiaries. That meant that some of the beneficiaries with the same truncated user ID in the identity management system had their claims data passed to other users and applications via Blue Button 2.0.

The error and why it resulted in the impermissible disclosure of claims data are perfectly understood, what was not initially clear was how the bug was introduced and why it was not found in time to prevent the exposure and disclosure of sensitive beneficiary data.

There are three takeaways from the initial findings of the investigation related to code reviews, testing, and cross team collaboration.

The CMS investigation found the bug was introduced on January 11, 2018. When changes are made, there is usually a comprehensive review of the changes, but in January a comprehensive review was not completed. If the review had occurred, the bug could have been identified and corrected before any sensitive information was disclosed.

The CMS tests Blue Button 2.0 using synthetic data to verify functionality. This ensures that no personal health information is put at risk. Integration of Blue Button 2.0 with other systems is not tested in order to protect personal health information. Consequently, integration with the identity management system was not tested.

The CMS notes that the code that generates the user ID token is run by a separate identity management team. The Blue Button 2.0 team made assumptions about how the token worked, and they were not validated. If there was better collaboration between enterprise teams, the necessary information would have been present in decision making.

Steps have now been taken to prevent further errors from occurring in the future. An enhanced quality review and validation process has now been implemented and the Blue Button 2.0 team will be performing comprehensive reviews of all new code to ensure that any coding errors are identified and corrected before the code changes go live and Blue Button 2.0 will now store full user IDs instead of truncated IDs.

A full review of the platform is now being conducted and the API will remain suspended until that coding review has been completed.

An in-depth analysis will also be conducted to determine the potential impact on affected beneficiaries. Decisions will then be made about what other steps are required to protect affected beneficiaries, such as the provision of credit monitoring services.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.