Tuesday marked the first day of open enrollment for the health-insurance exchanges set up by the Affordable Care Act. It didn’t go very well: Would-be health-insurance consumers in at least 47 states encountered technical problems. These so-called glitches, however, mask a much more serious concern for consumers: protecting sensitive data. The lack of sufficient security surrounding the exchanges should give potential enrollees pause.
In August, a coalition of attorneys general from 13 states wrote Health and Human Services secretary Kathleen Sebelius to express concerns over consumer privacy and oversight of “navigators,” counselors charged with assisting consumers enrolling in the exchanges. Specifically, the attorneys general asked what policies were in place to screen and monitor program personnel, prevent fraud and remedy cases of it, and regulate the navigators at the state level. But chief among their concerns was whether sufficient safeguards were in place to prevent security breaches.
In September, the concerns of the attorneys proved prescient. An employee of Minnesota’s health exchange accidentally sent 2,400 Social Security numbers, complete with names and addresses, to an insurance broker applying to become a navigator. Not only was the information mishandled, it was sent in an unencrypted and unsecured spreadsheet, suggesting additional lapses in security.
Concerns are not limited to the 13 attorneys general who wrote to Secretary Sebelius. In California, state insurance commissioner Dave Jones — an early supporter of the ACA — expressed worry that the 21,000 personnel providing customer support for the exchanges lacked proper oversight and could “obtain information that will allow them to build the trust they have with the individual they’re working with and potentially sell them all manner of bogus products, steal their identity, [and] gain access to certain assets they might have.”
Commissioner Jones is not alone in his unease. A report from the House Oversight Committee found that top HHS officials are similarly worried about the potential for identity theft. HHS officials expressed concern that individuals may pose as navigators to defraud consumers — because there is no way for consumers to verify who is certified — or that certified navigators themselves may misappropriate sensitive data due to lack of oversight, training, and safety protocols. Navigators are required to undergo as little as five hours of training before handling sensitive data, and are not subject to background checks.
In the coming months, millions of consumers will interact with the ACA for the first time via exchanges, renewing the nation’s focus on the sweeping health-reform law and shedding full light on the myriad of privacy and personnel concerns.
Despite acknowledged risks to consumers, the one-year delay to the ACA’s employer mandate and small-business exchanges, and the administration’s having already missed half the law’s deadlines, it’s now clear that the White House was intent on debuting exchanges whether or not they were ready. It would be prudent, regardless of whether one supports the Affordable Care Act at all, for enrollment to be halted until HHS can implement proven safeguards to protect consumer privacy. As things stand: Buyer beware.
— Sean Riley is the director of the American Legislative Exchange Council’s Task Force on Health and Human Services. Ed Walton is a legislative analyst at the American Legislative Exchange Council.