HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HealthCare.gov Data Breach Exposed Personal Information of 94,000 Individuals

Last month, the Centers for Medicare & Medicaid Services (CMS) announced that the HealthCare.gov website had been hacked and the sensitive data of approximately 75,000 individuals had potentially been compromised.

This week, the CMS issued an update on the breach confirming more people had been affected than was initially thought. The revised estimate has seen the number of breach victims increased to 93,689.

The initial breach announcement was light on details about the exact nature of the breach and the types of information that had potentially been compromised. In the initial announcement the CMS explained that suspicious activity was detected on the site on October 13 and on October 16 a breach was confirmed. Steps were immediately taken to secure the site and prevent any further data access or data theft.

The CMS started sending out breach notification letters on November 7 which explain the breach in more detail, including the types of information that were potentially accessed.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

CMS explained that the ‘suspicious activity’ it detected was certain agent and broker accounts conducting an unnatural number of searches to find consumer information. Those searches returned results that contained the personal information of people detailed in Marketplace applications.

The compromised agent and broker accounts were rapidly deactivated and the Direct Enrollment pathway for agents and brokers was temporarily deactivated while the system was secured. The Direct Enrollment pathway was brought back online on October 26.

The CMS has now confirmed that an extensive range of sensitive information has potentially been accessed and stolen by the hackers, which may have included the following data elements:

  • Name
  • Date of birth
  • Address
  • Sex
  • Last four digits of Social Security number (SSN) – if provided on applications
  • Expected income
  • Tax filing status
  • Family relationships
  • Citizen or immigrant status
  • Immigration document types and numbers
  • Employer name(s)
  • Pregnancy status
  • Whether the individual has health insurance
  • Information provided by other federal agencies and data sources to confirm application information
  • Whether the Marketplace asked the applicant for documents or explanations
  • Application result
  • Tax credit amounts
  • If an applicant enrolled, the name of the insurance plan, premium, and coverage dates

The CMS has not been able to confirm whether any personal information was stolen by the hackers, although as a precaution, individuals whose personal information has been exposed have been offered free identity theft protection services.

The investigation is continuing, and additional security measures are being implemented to prevent any further breaches.

The HealthCare.gov website has had a tough time since its launch. Malware was uploaded to a test server in July 2014, just a few months after the site was launched. Audits by government watchdog agencies, including the Government Accountability Office (GAO) identified a slew of vulnerabilities and confirmed that there had been 316 security incidents involving the website and its supporting systems between October 2013 and March 2015.

While none of those incidents resulted in sensitive data being compromised, GAO did identify a number of security weaknesses in the technical controls used to protect data, the frequency of patching, encryption, auditing, monitoring, boundary protections, and identification and authentication which placed data at risk.

It is unclear how the hackers gained access to login credentials and whether any of the GAO-identified weaknesses were exploited.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.