OIG’s Take On Healthcare.gov Patient Record Breach

The Department of Health and Human Services’ Office of Inspector General has taken the initiative to probe the healthcare.gov website in the wake of a huge security breach. The breach is estimated to have affected at least 75,000 health records. In its initial checks, only health records were exposed, not financial data like banking info or tax record.

It was the Direct Enrollment pathway was the section of the site that was severely affected, but the remainder of healthcare.gov remained untouched during the security breach. “Our number one priority is the safety and security of the Americans we serve. We will continue to work around the clock to help those potentially impacted and ensure the protection of consumer information. I want to make clear to the public that HealthCare.gov and the Marketplace Call Center are still available, and open enrollment will not be negatively impacted. We are working to identify the individuals potentially impacted as quickly as possible so that we can notify them and provide resources such as credit protection,” explained Seema Verna, the CMS Administrator who initially investigated the case.

Evidence points on the date October 16, 2018, when the records were exposed to unknown 3rd parties. Healthcare coverage has been a huge issue in the United States since the time of the previous administration. The data that people surrender to healthcare institutions are mostly personally identifiable information, which can be very profitable in the hands of the cybercriminals. Such information like full name, social security numbers, patient records, insurance coverage record, immigration status, and citizenship were the usual components of a healthcare record at the very least.

Regardless of the result of the OIG’s investigation, CMS will continue to accept enrollment starting Nov up to the 15th of December. “Consumer access to HealthCare.gov may be limited or restricted when this maintenance is required. Regular scheduled maintenance will continue to be planned for the lowest-traffic time periods on HealthCare.gov, including Sunday mornings. The purpose in scheduling these times is to minimize any consumer disruption. Like other IT systems, these scheduled maintenance windows are how CMS updates and improve our system to run optimally and are the normal course of business,” explained CMS.

This is not the first time that healthcare.gov has been involved with a cybersecurity issue. The issues persisted between the last quarter of 2013 to the first quarter of 2015, around 316 cybersecurity issues were recorded. And after that period of two years, a credible cybersecurity defense should have been installed to prevent future IT issues, but seems like no one from healthcare.gov has received the memo. These issues were fully documented in the 2016 GAO report: “GAO identified significant weaknesses in the controls at three selected state-based marketplaces. These included insufficient encryption and inadequately configured firewalls, among others. The majority of these incidents involved such things as electronic probing of CMS systems by potential attackers, which did not lead to compromise of any systems or the physical or electronic mailing of sensitive information to an incorrect recipient,” explained the report.