The Future of Health CarePosted: October 1, 2013 | |
Obamacare security breach leaks data of 2,400 customers
Sarah Hurtubise reports: An employee of Minnesota’s Obamacare exchange, MNsure, sent an unencrypted file to the wrong person and left 2,400 people’s private information at the mercy of a nearby insurance agent.
One exchange staffer’s simple mistake gave insurance broker Jim Koester access to an Excel document of Social Security numbers, names, addresses and other personal data for whole a list of insurance agents. Luckily for the 2,400, Koester was cooperative — and unnerved.
“The more I thought about it, the more troubled I was,” Koester told the Minnesota Star Tribune. “What if this had fallen into the wrong hands? It’s scary. If this is happening now, how can clients of MNsure be confident their data is safe?”
While MNsure officials called Koester and ensured the data was deleted from the insurance company’s hard drives, such an easy breach of confidentiality before the Obamacare exchanges have even gone live heighten the security concerns many have already raised about the law.
Obamacare’s Federal Services Data Hub has received heavy criticism for insufficient security and delayed testing. The data hub will centralize and route private information of every Obamacare participant through an endless list of federal and state agencies and related businesses, but lawmakers are worried about privacy as the deadline approaches.
Pennsylvania Republican Rep. Pat Meehan, who has been leading the charge to delay the data hub, criticized the security breach. “Obamacare’s data hub hasn’t even gone live yet, and already there are massive data breaches,” Meehan said in statement. “What more has to happen to convince this administration that the data hub is not ready for prime time?”
Obamacare exchange officials aren’t the only agents that will have access to private consumer data in the data hub. Along with any federal or state officials working with Obamacare, program “navigators” will have access to consumer information in order to help them make decisions about what insurance plan is the right choice.
Navigators will only receive 20 hours of training before having access to consumer data, a policy which turned heads at a tense congressional hearing. Pennsylvania Republican Rep. Scott Perry pointed out, “It takes 1,250 hours to become a barber in Pennsylvania, but to navigate insurance, these folks are going to be advising us with 20 hours?”
The data sent in the Minnesota email did not have any increased cybersecurity efforts attached to it. “The gorilla in the room is that they sent me something that’s not even encrypted. It’s unsecured, on an Excel spreadsheet,” Koester told reporters. “They’ve got to realize they have a huge problem.”
The completion date for cybersecurity testing on the data hub has been delayed until September 30, the day before Obamacare exchanges open for business.
But Meehan was not convinced. “It’s time to delay the data hub, now,” the congressman concluded.