The federal government had a record number of data breaches in 2012, revealing sensitive personal information of its employees across multiple agencies, according to the Government Accountability Office (GAO).
A total of 22,156 incidents, caused by nefarious cyber attacks, or inadvertent exposures by agency employees, occurred in 2012, according to a new GAO report on information security released on Wednesday.
The report comes as the launch of Healthcare.gov has raised concerns over the privacy of Americans personal information using the government website, which lacks fundamental security safeguards and is vulnerable to attack.
The GAO said security breaches into federal agencies "continue to occur on a regular basis."
"The term ‘data breach’ generally refers to the unauthorized or unintentional exposure, disclosure, or loss of sensitive information, including personally identifiable information (PII)," the report explained. "Having procedures in place to respond to a data breach is important in minimizing the risk of serious consequences such as identity theft or other fraudulent activity that could result from such losses."
"Despite steps taken to protect PII at federal agencies, breaches continue to occur on a regular basis," they said.
"During fiscal year 2012, federal agencies reported a record number of data breaches to the U.S. Computer Emergency Readiness Team (US-CERT)," the report added. "Specifically, 22,156 incidents involving PII were reported—a substantial increase over the 15,584 incidents reported in fiscal year 2011."
The GAO said a data breach could be "inadvertent, such as from the loss of paper documents or a portable electronic device, or deliberate, such as from a successful cyber-based attack by a hacker, criminal, foreign nation, terrorist, or other adversaries."
The record number of incidents is up from 10,481 in fiscal year 2009, representing a 111 percent increase in three years.
Cyber breaches continued in 2013. In one incident at the Department of Energy, 104,179 employees had their Social Security bank account numbers stolen "with relative ease" last July.
Concerns have also been elevated since the launch of Healthcare.gov. HHS proceeded to go live with the site on Oct. 1, despite knowledge of 19 security vulnerabilities that remained unaddressed.
Experts have warned Americans to stay away from Healthcare.gov because it lacks fundamental security safeguards and is under constant attack. The most popular searches on Healthcare.gov were hack attempts in the beginning days of the launch.
The House voted Friday to pass the Health Exchange Security and Transparency Act (H.R. 3811), which would require HHS to notify individuals within two days if their personal information was breached on the health exchange website.
The Centers for Medicare and Medicaid Services (CMS), which oversees the implementation of the health care law, was one of eight agencies the GAO reviewed in its analysis on information security.
As part of its review, the GAO examined the agencies for one year, between November 2012 and November 2013. The CMS, a division of the Department of Health and Human Services (HHS), had the second highest breaches of the eight agencies.
The CMS reported 4,172 incidents in FY 2012, second to only the Department of Veterans Affairs, which had 6,627. The IRS ranked third for most breaches, with 3,696. Together, CMS and the IRS accounted for nearly half of the 15,140 breaches reported by the eight agencies alone.
The GAO said that the agencies "generally developed, but inconsistently implemented, policies and procedures for responding to a data breach involving personally identifiable information (PII)."
Senate Committee on Homeland Security and Governmental Affairs Chairman Tom Carper (D., Del.) and Ranking Member Tom Coburn (R., Okla.) requested the GAO review.
In a statement to the Washington Free Beacon, Dr. Coburn urged the agencies to take up the GAO’s recommendations on preventing security breaches, and said safeguarding private information should be their chief concern.
"Americans have a right to know if their government has exposed them to potential fraud or other criminal activity," he said. "Agencies should take every precaution to safeguard Americans’ private information. In the unfortunate cases when they fall short, they should be transparent with the American people."
"GAO has outlined a number of steps the Office of Management and Budget can take in coordination with agencies across the federal government to improve notification practices," Coburn said, "and I look forward to working with Chairman Carper and the administration in making these changes to increase transparency."
The GAO made 23 recommendations regarding agency policy of security breaches, including that HHS Secretary Kathleen Sebelius direct the CMS to require documentation of their "risk assessment" for breaches involving PII, "document the number of affected individuals associated with each incident," and "require an evaluation of the agency’s response to data breaches."
HHS agreed with the recommendations in response to the draft report on Nov. 25, 2013. HHS said it already documents the number of affected individuals associated with every incident that exposes PII, and enters it into the CMS "incident reporting system."
HHS also said that CMS held its annual "privacy and security awareness week" last year, which distributed flyers and provided web links to agency staff in efforts to minimize the "most common breaches" that occur at the agency.
"CMS will continue to refine its processes to identify lessons learned and incorporate information in privacy and security policies and practices, as appropriate," they said.