5 min read

Healthcare.gov Detects Significant Breach On Enrollment Exchanges

George V. Hulme

October 26, 2018

Healthcare.gov Detects Significant Breach On Enrollment Exchanges

The Center for Medicare and Medicaid Services (CMS) announced that it has detected anomalous activity in its Federally Facilitated Exchanges (FFEs) Direct Enrollment pathway for agents and brokers. This is the system that enables agents and brokers to help consumers with their coverage applications to the FFEs. One can imagine the type and quantity of sensitive information shared on these systems.

Currently, CMS said, they believe the files for about 75,000 people were accessed without authorization.

“Our number one priority is the safety and security of the Americans we serve. We will continue to work around the clock to help those potentially impacted and ensure the protection of consumer information,” said CMS Administrator Seema Verma in a statement. “I want to make clear to the public that HealthCare.gov and the Marketplace Call Center are still available, and open enrollment will not be negatively impacted. We are working to identify the individuals potentially impacted as quickly as possible so that we can notify them and provide resources such as credit protection.” 

According to the news announcement, the anomalous activity was detected and declared within three days. That could explain why we don’t know yet what type of information was accessed. Hopefully we’ll know soon.

When breaches are detected and announced that quickly it’s common for the total number of affected people to increase as the investigation unfolds. I hope that’s not the case here, but it often is.

According to the news release, CMS followed standard and appropriate security and risk protocols for researching and reporting the incident. “Upon verification of the breach, CMS took immediate steps to secure the system and consumer information, further investigate the incident, and subsequently notify Federal law enforcement. We are actively engaged in and committed to helping those potentially impacted as well as ensuring the protection of consumer information,” the agency said

They promise to keep investigating and to provide more information. The news release is available here.

There have been dozens of healthcare related data breaches this year, such as in January Oklahoma State University Center for Health Sciences announced that an unauthorized user entered their network in November and accessed folders that held the Medicaid billing information for 279,865 patients.

In one of the largest breaches of the year, attackers managed their way onto the health database managed by the Singapore government and the data of 1.5 million patients were accessed for nearly one week. According to news stories, attackers gained a foothold on a workstation and then used logon credentials to further their way onto the database.

I expect data breach notifications to increase, and we will continue to see successful ransomware attacks, misconfigured systems, government networks unsecured, and so on.

The news site HealthcareITnews.com has a curated list of healthcare breach stories for the entire 2018 year, so far, available here.

Last month, Filip Truta reported here according to Kroll, the number of reported data security incidents received by the UK Information Commissioner’s Office increased by 75 percent over the previous two years. Much of that increase can be attributed to GDPR and other data breach notification laws. So it’s reasonable to expect the number of healthcare related databreach notifications to only increase. “As a member of the European Union, the United Kingdom is subject to a strict regime of data protection. But under the GDPR, this regime applies to the entire European Union, and indeed the world,” he wrote.


Contact an expert



George V. Hulme

George V. Hulme is an internationally recognized information security and business technology writer. For more than 20 years Hulme has written about business, technology, and IT security topics. From March 2000 through March 2005, as senior editor at InformationWeek magazine, he covered the IT security and homeland security beats. His work has appeared in CSOOnline, ComputerWorld, Network Computing, Government Computer News, Network World, San Francisco Examiner, TechWeb, VARBusiness, and dozens of other technology publications.

View all posts

You might also like