The Centers for Medicare and Medicaid Services (CMS) at the Department of Health and Human Services (HHS) did not implement auditor recommendations to protect personal information at HealthCare.gov, Politico reported.
An official told lawmakers that CMS "has not yet implemented auditors’ recommendations that it conduct privacy impact assessments on HealthCare.gov systems that store personal information," states Politico.
This is cause for concern considering the Office and Personnel Management (OPM) news that more than 21 million individuals had their sensitive information, including Social Security numbers and family and personal data, accessed by hackers because of a data breach.
"The U.S. Office of Personnel Management (OPM) has identified a cyber security incident potentially affecting personnel data for current and federal employees, including personally identifiable information (PII)," said OPM in a statement on June 4.
At a House Science, Space and Technology Committee hearing on the OPM data breach, Gregory Wilshusen, an information security expert at the Government Accountability Office (GAO), said he is not aware of any efforts by CMS to act on GAO’s recommendations regarding the Obamacare website. GAO recommended in September 2014 that CMS and HHS "implement security and privacy controls to enhance the protection of systems and information related to Healthcare.gov."
Rep. Barry Loudermilk (R., Ga.) asked the GAO expert to give federal cyber security a grade.
"I’ll go with D because in many respects there are improvements … but it’s getting to the effective implementation [of controls] over time consistently, that’s proved difficult," said Wilshusen.
"If the Office of Personnel Management was hacked for more than a year and no one knew, how can anyone be sure their personal information at HealthCare.gov hasn’t been compromised as well?" said Nathan Nascimento, senior policy adviser at Freedom Partners, a nonprofit group. "This failure to take these privacy concerns seriously is exactly why we need to get unaccountable federal bureaucrats out of our healthcare system. This administration was warned about the serious security concerns in HealthCare.gov from the beginning and didn’t act. When is Washington going to learn?"