Healthcare.gov’s security was potentially jeopardized more than 300 times from October 2013 to March 2015, according to an audit from the Government Accountability Office.
The 316 security incidents reported to the GAO by the Centers for Medicare and Medicaid Services were either attempts by hackers to compromise the Healthcare.gov system or occasions where consumers’ sensitive data was not properly secured.
"A security incident can occur under many circumstances and for many reasons," the audit said. "It can be inadvertent, such as from the loss of an electronic device, or deliberate, such as from the theft of a device, or a cyber-based attack by a malicious individual or group, agency insider, foreign nation, terrorist, or other adversary."
According to the report, some of the 316 security incidents involved consumers’ personally identifiable information, a category that includes Social Security numbers, names, dates, places of birth, and medical, educational, financial or employment information. Some of the 316 incidents included attempts by attackers to compromise part of the Healthcare.gov system, but the audit found no evidence that these attempts had succeeded.
Forty-one of the 316 security incidents, or 13 percent, involved personally identifiable information, which was either exposed to an unauthorized individual or was not properly secured.
"A basic management objective for any organization is to protect the confidentiality, integrity, and availability of the information and systems that support its critical operations and assets," the audit states.
"[The agency] did not effectively implement or securely configure key security tools and devices to sufficiently protect the users and information on the data hub system from threats to confidentiality, integrity, and availability," the audit said. The data hub is a portal that allows the federal marketplace to transmit consumers’ personal information to its external partners, which include federal agencies and state-based marketplaces.
"The privacy and security of consumers’ information is a top priority," said Aaron Albright, a spokesperson for the Centers for Medicare and Medicaid Services. "When consumers fill out their online health care Marketplace applications, the information they are providing is protected by stringent security standards."
"While no system is immune from attempted attacks or intrusions, CMS continually maintains and strengthens the security of HealthCare.gov and its supporting systems," Albright said. "As the GAO reported, to date, no person or group has maliciously accessed personally identifiable information through HealthCare.gov or supporting systems."