Experts: Personal Data Not Secure on Health Insurance Exchanges


By Steve Bates December 15, 2014

Hackers could gain access to the personal data of Americans who use the federal and state health insurance exchanges, according to two government reports and experts on electronic data security.

The exchanges, created under the federal Affordable Care Act (ACA), are working to improve the protection of personal data provided by individuals as they apply for insurance coverage, according to the reports and experts. However, much remains to be done, and some experts say that the exchanges might never be completely impervious to attacks.

“One hundred percent security is impossible,” said Kenneth K. Dort, a partner in law firm Drinker Biddle’s Intellectual Property Practice Group in Chicago. “The name of the game is risk minimization.”

There has already been one reported breach of the federal website. On Sept. 4, 2014, the Centers for Medicare & Medicaid Services (CMS), which runs the exchange, said that a hacker or hackers uploaded malware on a server that supports the exchange website but does not contain users’ personal information.

Some states operate their own insurance exchanges; others allow the federal government to run theirs. All exchanges that receive federal funds are bound to stringent data security rules. However, compliance remains a massive challenge.

Typically, Americans who seek to enroll in a health insurance plan through an exchange provide their name, address, birth date, Social Security number and salary information. To determine eligibility and perform other functions, the exchanges must share this data with other government agencies and with private entities such as insurance companies. These operations add significantly to the information security challenge.

The federal exchange and some state exchanges suffered from initial design flaws when they first came online, and the push to make them function smoothly also complicated the task of securing personal information, experts say.

Personal data protection “wasn’t integrated into the process,” said Michael Ebert, an expert on health care and data security at audit, tax and advisory firm KPMG in Philadelphia. “They didn’t bake it in. They tried to bolt it on.”

“There is absolutely no way that a project that was so poorly executed can successfully protect private data,” said Peter Robichau, a health care technology author, speaker and consultant.

A U.S. Government Accountability Office report issued in September 2014 found that “while CMS has taken steps to protect the security and privacy of data processed and maintained by the complex set of systems and interconnections that support, weaknesses remain in both the processes used for managing information security and privacy, as well as the technical implementation of IT security controls.”

The report said that “increased and unnecessary risks remain of unauthorized access, disclosure, or modification of information collected and maintained by and related systems, and the disruption of service provided by the systems.”

Also in September 2014, the Office of the Inspector General of the U.S. Department of Health and Human Services (HHS) released a report on the federal exchange and the state exchanges in Kentucky and New Mexico. The report cited “two critical vulnerabilities” in the website of the federal exchange that “placed the confidentiality, integrity, and availability of PII (personally identifiable information) at risk and could have allowed unauthorized access to PII.” The report found that the two states’ exchanges had implemented security controls but that additional improvements were needed.

A spokesman for HHS, which oversees CMS, did not respond to requests for an interview with SHRM Online.

J. Deane Waldman, a pediatric cardiologist at the University of New Mexico Hospitals and a member of the board that oversees the New Mexico exchange, acknowledged that personal data security remains a challenge. “The law (ACA) is basically unworkable, and we’re trying to make it work,” he told SHRM Online. “We’re doing the best we can.” Waldman said his comments are his opinions and do not represent the New Mexico exchange board on which he sits. He noted that the New Mexico exchange will assist applicants only with Small Business Health Options Program (SHOP) plans until fall 2015, when it will add individual health coverage. Part of the reason for that delay, he said, was to ensure that data security systems are tested adequately before full operation.

Waldman emphasized that the sharing of information among medical professionals is essential to effective health care. “Security and information-sharing are two sides of a balanced scale,” he said. Health exchanges must facilitate both.

“There are bad people out there who will take advantage of anything,” noted Connie Stack, chief marketing officer of security firm Digital Guardian, who is based near Boston. “Security professionals need to plug every hole; the hacker only needs to find one.” She said she believes that health exchange data security professionals “are taking the right steps.”

Layna S. Cook, an attorney with the Health Law Group at Baker Donelson in Baton Rouge, La.,said that people who use the exchanges also “need to be vigilant” in protecting their personal information. “Provide the information required and no more. Be careful who you provide it to.”

Health exchange officials and individual consumers “have to continually monitor the landscape,” said Dort of Drinker Biddle. “Threats change and techniques change. It’s a never-ending battle.”

Steve Bates is a freelance writer in the Washington, D.C., area and a former writer and editor for SHRM.​


Job Finder

Find an HR Job Near You
Search Jobs
Post a Job


Global Human Capital Trends on Their Impact on Your Organization. June 27, 2 p.m. ET / 11 a.m. PT

Global Human Capital Trends on Their Impact on Your Organization. June 27, 2 p.m. ET / 11 a.m. PT

Register Today


Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 10,000 companies

Search & Connect