HHS’ OIG Audit Reveals Security Vulnerabilities in ACA Database
The federal government stored the personal data of millions of Affordable Care Act enrollees in a computer network with basic cybersecurity flaws, according to a report released Thursday by HHS' Office of Inspector General report released Thursday, The Hill reports (Williams, The Hill, 9/24).
For the report, OIG reviewed CMS' procedures for protecting consumer information (Takala, Washington Examiner, 9/24).
Specifically, it examined MIDAS, a $110 million data repository for the information collected under the ACA.
The database does not include medical records. However, according to a government privacy impact statement, it does include:
- Employment status;
- Financial information
- Passport numbers; and
- Phone numbers.
The repository includes information of consumers who used HealthCare.gov and state-based exchanges (Alonso-Zaldivar, AP/San Diego Union-Tribune, 9/24). It also keeps information on consumers who start but do not finish an application on HealthCare.gov, as well information on individuals eligible for Medicaid (Washington Examiner, 9/24).
According to the report, flaws in the system included security policy issues and 135 database vulnerabilities, some of which were determined to be severe or catastrophic.
Among the database vulnerabilities:
- 22 were classified as high risk, meaning they could potentially result in severe or catastrophic outcomes;
- 62 were classified as medium risk (AP/San Diego Union-Tribune, 9/24); and
- 51 were classified as low risk (Washington Examiner, 9/24).
Other technical problems included:
- Failure to conduct some automated vulnerability tests that imitate cyberattacks and could reveal weaknesses in the system;
- Failure to terminate "generic accounts" used for maintenance or other special access during testing; and
- The use of a shared read-only account for access to the database that contained individuals' personal information (AP/San Diego Union-Tribune, 9/24).
Among other issues uncovered in the audit, OIG found that user sessions were not encrypted, which is standard practice among most online financial transactions.
CMS agreed with OIG's recommendations and said it had started fixing the vulnerabilities earlier this year (The Hill, 9/24).
Specifically, CMS Administrator Andy Slavitt said the issues had been addressed within a week of their identification, noting that "the privacy and security of consumers' personally identifiable information are a top priority" for the agency.
He said that all of the report's recommendations have been implemented, noting that the agency is:
- Conducting weekly vulnerability assessments; and
- An annual security review (AP/San Diego Union-Tribune, 9/24).
Meanwhile, HHS spokesperson Meaghan Smith said that no information had been lost because of the vulnerabilities. She said, "To date, no person or group has maliciously accessed personally identifiable information through HealthCare.gov or MIDAS" (Washington Examiner, 9/24).This is part of the California Healthline Daily Edition, a summary of health policy coverage from major news organizations. Sign up for an email subscription.