CMS Investigating 75,000-Record Breach of Federally Facilitated Exchanges Direct Enrollment System

The Centers for Medicaid & Medicare Services (CMS) has discovered hackers have gained access to a health insurance system that interacts with the website and accessed files containing the sensitive information of approximately 75,000 individuals.

On October 13, 2018, CMS staff discovered anomalous activity in the Federally Facilitated Exchanges system and the Direct enrollment pathway used by agents and brokers to sign their customers up for health insurance coverage. On October 16, the CMS confirmed there had been a data breach and a public announcement about the cyberattack was made on Friday October 19, 2018.

While the number of files accessed only represents a small fraction of the total number of consumer records stored in the system, it is still a sizable and serious data breach. The files contained information supplied by consumers when they apply for healthcare plans through agents and brokers, including names, telephone numbers, addresses, Social Security numbers, and income details.

While the CMS has confirmed that the files have been accessed by unauthorized individuals, it is currently unclear whether any files were actually stolen by the attackers.

The investigation into the cyberattack is ongoing and the CMS is currently working on implementing new security controls to prevent further attacks. The Direct Enrollment system has been temporarily taken offline to allow the security updates to be applied. The CMS expects the system to be offline for about a week. It will be back online for the upcoming enrollment period that commences on November 1.

“Our number one priority is the safety and security of the Americans we serve. We will continue to work around the clock to help those potentially impacted and ensure the protection of consumer information,” said CMS Administrator Seema Verma.

The CMS notes that the attack only affected the system used by agents and brokers. There has not been a breach of the website which is used by consumers to personally sign up for health insurance coverage. “I want to make clear to the public that and the Marketplace Call Center are still available,” said Verma.

The CMS will be sending notification letters to all individuals whose personal information has been exposed and will be providing further information on the steps they can take to prevent misuse of their data. The CMS will release further information about the breach as and when it becomes available.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.