Obamacare System Breach Affects 75,000HHS Acts to Beef Up Security for Portal Serving Insurance Brokers, Agents
Federal regulators are working to shore up security of systems that support Obamacare in time for open enrollment season, which launches on Nov. 1, following the revelation of a breach that exposed data of 75,000 individuals.
The Centers for Medicare and Medicaid Systems - the unit of the Department of Health and Human Services that administers the Affordable Care Act, also known as Obamacare - in a Friday statement said agency staff recently detected "anomalous activity" in systems used by insurance agents and brokers to assist consumers who apply for health coverage.
The suspicious activity was detected in the Federally Facilitated Exchanges' direct enrollment pathway, which allows agents and brokers to assist consumers with applications. That pathway was launched in 2013. Consumers use the separate Healthcare.gov web portal.
"Healthcare is now in the top targeted industries, and there is no indication that this is going to lessen."
—David Finn, CynergisTek
"At this time, we believe that approximately 75,000 individuals' files were accessed. While this is a small fraction of consumer records present on the FFE, any breach of our system is unacceptable," CMS says in the statement.
"We will continue to work around the clock to help those potentially impacted and ensure the protection of consumer information," CMS Administrator Seema Verma says.
Despite the breach, "HealthCare.gov and the Marketplace Call Center are still available, and open enrollment will not be negatively impacted," Verma adds. "We are working to identify the individuals potentially impacted as quickly as possible so that we can notify them and provide resources such as credit protection."
CMS noted in its statement that the agency is in the "beginning stages" of assessing the breach. The agency did not immediately respond to an Information Security Media Group request for additional information regarding the incident, including the types of data exposed.
CMS says it followed standard and appropriate security and risk protocols for researching and reporting the incident.
"Upon verification of the breach, CMS took immediate steps to secure the system and consumer information, further investigate the incident, and subsequently notify federal law enforcement. We are actively engaged in and committed to helping those potentially impacted as well as ensuring the protection of consumer information," CMS says.
The agency says it began the initial investigation of anomalous system activity in the direct enrollment pathway for agents and brokers on Oct. 13, and it determined on Oct. 16 that a breach had occurred.
"The agent and broker accounts that were associated with the anomalous activity were deactivated, and - out of an abundance of caution - the direct enrollment pathway for agents and brokers was disabled," CMS says. "We are working to address the issue, implement additional security measures and restore the direct enrollment pathway for agents and brokers within seven days."
The tool through which the breach occurred is only available through the currently disabled direct enrollment pathway for agents and brokers, CMS points out. "As a result, the remaining FFE enrollment channels, including HealthCare.gov and the marketplace call center, remain operational."
Based on the limited details that CMS has released so far, "it is difficult to determine how the breach might have happened," notes former healthcare CIO David Finn, executive vice president at security consultancy CynergisTek.
"It could be anything from phishing to stolen credentials to a brute force attack," he says. "Agents and brokers should be taking a good look at their own users and sites. And any impacted consumer should be checking credit reports, claims, banks and even medical records."
It's safe to say that Healthcare.gov is a target for hackers, Finn says. "Healthcare ... is now in the top targeted industries, and there is no indication that this is going to lessen."
Several underlying drivers make healthcare-related data valuable to attackers, he notes. "The data is richer than just the kind of data that retail collects, for instance. In healthcare you have demographic, financial, insurance and often other types of information, and it is together in one place."
The breach is a reminder that all healthcare organizations need to ramp up their efforts to prevent breaches and react quickly when the inevitable security incident occurs, Finn says. "A lot of this still comes down to some basic best practices - access control, multifactor authentication and continuous monitoring of systems."
Security of the Healthcare.gov site, as well as the related backend systems of the Federal Facilitated Exchanges, has been closely scrutinized, even prior to the rocky launch of Obamacare's first open enrollment season in the fall of 2013. That launch was plagued with technical problems, including individuals encountering great difficulties accessing the site (see Insurance Exchanges: Work in Progress).
In addition, the lack of end-to-end security testing before the launch of HealthCare.gov on Oct. 1, 2013, had been a sore point focused on during several Congressional hearings that followed in the months afterwards.
Then in September 2014, HHS disclosed that that malware had been uploaded on a Healthcare.gov test server in July 2014. HHS officials said at the time that the malware was designed to launch a distributed denial-of-service attacks against other websites when activated. No consumer data was exposed in the incident, officials said.
In response to criticism from privacy advocates and others, HHS in 2015 also made a number of fixes to the Healthcare.gov site to scale back on the release of consumer data to third-party commercial sites. Changes made at that time included "adding a layer of encryption that reduces the information available to the third-party tools we use from [Healthcare.gov] URLs," HHS officials said at the time (see Healthcare.gov Makes Privacy Fixes).
Healthcare.gov systems have also been the subject of security reviews by various government watchdog agencies, including the Government Accountability Office.
For instance, in March 2016, GAO issued a report noting that between October 2013 and March 2015, CMS reported 316 security-related incidents affecting Healthcare.gov and its supporting systems (see Report Spotlights Healthcare.gov Security Weaknesses).
But the study also noted that none of the security incidents reported by CMS showed evidence that an outside attacker had successfully compromised sensitive data, such as personally identifiable information.
Nonetheless, that report noted GAO found weaknesses in systems and connections supporting Healthcare.gov, including the Federal Data Services data hub - a portal for exchanging information between the federal marketplace and CMS's external partners.
Among weaknesses GAO identified in technical controls protecting the data flowing through the data hub were insufficiently restricted administrator privileges for data hub systems, inconsistent application of security patches and insecure configuration of an administrative network.
In addition, GAO noted in the report that it also identified additional weaknesses in technical controls that could place sensitive information at risk of unauthorized disclosure, modification or loss. In a separate report, GAO recommended 27 actions to mitigate the identified weaknesses.