News Feature | April 5, 2016

316 Security Incidents Revealed Around Healthcare.Gov

By Megan Williams, contributing writer

Make Your Website An Effective Lead-Generator

The poor state of security at CMS’ Federal Data Services Hub has been revealed in a report released March 23. According to FierceGovernmentIT, the report included the surprising announcement that Healthcare.gov was victim to 316 security incidents over a 17-month period. While the GAO is still concerned about the technical controls used to protect information that flows in and out of the site and to federal partners’ data systems, they are reporting that none of the incidents resulted in systems being compromised or any sensitive data being leaked.

The report (available here), was initiated to:

  • describe security and privacy incidents reported for Healthcare.gov and related systems
  • assess the effectiveness of security controls for the data hub
  • assess CMS oversight of state-based marketplaces and the security of selected state-based marketplaces

The hub in question serves as a central component of the sensitive information that flows through healthcare.gov. That information includes:

  • transferring application and taxpayer information
  • real-time eligibility queries
  • submitting health plan applications
  • exchanging and monitoring enrollment information with entities that issue qualified health plans

Deficiencies And Reaction

The report authors also noted that the state of security in state-based marketplaces needed improvement — largely due to inadequate firewalls and insufficient encryption.

Auditors expressed the most concern over CMS having taken a largely hands-off approach to marketplace oversight. While the agency has assigned some roles and met with officials to establish a reporting mechanism, it has not taken steps to document the extent of oversight responsibilities nor has it fully outlined its procedures. The reported authors noted, “While CMS has set requirements for annual testing of a subset of security controls implemented within the state-based marketplaces, it does not require continuous monitoring or annual comprehensive testing.”

Incident Impact

According to FedScoop.com, despite the security-related incidents, no personally identifiable information was leaked and Healthcare.gov was never penetrated by hackers. The majority of the incidents (191 of 316) were scans or probes, and only one involved hacker intrusion.

Mail issues accounted for 55 of the information-exposing incidents, with mail being sent to the wrong recipient or distributed via email to “a limited number of individuals.” The majority (311) of the incidents were classified as having “Moderate/Limited” impact.