Christmas shoppers were stunned to learn last Thursday that computer hackers had made off with the names and other personal info of some 40 million Target customers. Some of the pilfered information is reportedly being sold on the black market, prompting JP Morgan Chase to limit purchases and cash withdrawals on debit cards owned by recent Target shoppers.
But at least Target informed its customers of the security breach, as it is required by federal law to do. HealthCare.gov faces no such requirement; it need never notify customers that their personal information has been hacked or possibly compromised. The Department of Health and Human Services was specifically asked to include a notification requirement in the rules it designed for the health-care exchanges, but HHS declined.
The Federal Register tells the tale about what happened on March 27, 2012, at a meeting on the issue.
At that meeting, two commenters asked HHS to ensure the exchanges would promptly notify affected enrollees in the event of a data breach or unauthorized access to the exchange’s databases. One commenter suggested that a full investigation be launched each time such a breach occurred, with the goal of holding hackers legally and financially accountable for breaking into the website.
According to a report by the group Watchdog.org, HHS responded: “We do not plan to include the specific notification procedures in the final rule. Consistent with this approach, we do not include specific policies for investigation of data breaches in this final rule.” In other words, the government doesn’t have to tell you about a security breach unless it decides it wants to — despite the fact that private companies are required to publicly disclose any incidents. State laws also require many of the 14 state-run insurance exchanges to disclose such information, but no such law exists for the federally run exchange, which 36 states rely upon.
The Watchdog report notes that it’s through state laws that we’ve learned the most about security problems in the exchanges. In September, the Minneapolis Star Tribune reported that “an official at MNsure, the state’s new online health insurance exchange, acknowledged it had mishandled private data.” A Minnesota insurance broker received an e-mail containing a trove of confidential information on more than 2,400 people, including their Social Security numbers and business addresses. A staffer at MNsure had accidentally sent the e-mail to him. “The more I thought about it, the more troubled I was,” Jim Koester, the recipient of the data, told the Star Tribune. “What if this had fallen into the wrong hands? It’s scary.”
Last July, Dave Jones, California’s insurance commissioner and a Democrat, expressed his concerns about inadequate security processes on his state’s exchange, one of the better-run ones. If unscrupulous people get hold of Social Security numbers, health records, or other private information of consumers “we can have a real disaster on our hands,” Jones told the AP. He has declined further comment since then.
In Florida, GOP governor Rick Scott is troubled that privacy guidelines will be ignored in the rush to try to enroll his state’s 3.5 million uninsured residents. He wrote to Congress this fall expressing worry that the thousands of “navigators” hired by private groups posed a possible security threat, given that they undergo no federal background checks: “As the push for ‘navigators’ to sign up Floridians on the federal health insurance exchange becomes more frenzied, the need to safeguard the personal information Floridians submit to the ‘navigators,’ and its use in a ‘federal data hub,’ is taking on paramount importance.” The workers the federal government hired to conduct the 2010 census were fingerprinted and underwent background checks. Not so the Obamacare “navigators.”
It’s not as if the Obama administration wasn’t notified of security concerns about its website. MITRE Corporation, an HHS contractor, alerted the agency that 19 unaddressed security vulnerabilities plagued the website before its launch on October 1. Last week, Teresa Fryer, the chief information-security officer for the Centers for Medicare and Medicaid Services (CMS), told the House Oversight Committee that she recommended that HealthCare.gov not launch on October 1 because of serious security concerns. “My evaluation of this was a high risk,” she told the committee in a private interview. Tony Trenkle, the project manager for the website, declined along with Fryer to sign the Authority to Operate (ATO) license needed to launch the site, which is why it had to be signed by Marilyn Tavenner, the political appointee in charge of CMS. Trenkle retired on November 13 and has declined to talk with reporters. But Fryer said her own concerns about security remain unaddressed because there have been “two high findings of risk” — the most serious warning level — in tests conducted in just the past few weeks. A CMS spokesman says both problems have been resolved.
Few cyber-security experts I spoke with for this article have much confidence that the government will quickly or competently reveal any security breaches on HealthCare.gov. On October 30, HHS Secretary Kathleen Sebelius testified under oath before Congress that “no senior official reporting to me ever advised me that we should delay” the launch of the website. But Fryer told the House committee that she had personally briefed Sebelius’s top aides on her findings on September 20, ten days before the site launched. While it may be true that Fryer and Trinkle don’t report directly to Sebelius, they both declined to sign off on the ATO needed to launch the site. At best, Sebelius has demonstrated a complete inability to follow or manage the security crisis, though it’s her responsibility to do so.
According to Bruce Webster, a consultant who has advised companies for 40 years on IT issues, the administration’s policy appears to be “security through obscurity,” a largely discredited approach. He told me:
They do not want to talk about their security measures; they do not want to talk about their security breaches; they do not want to inform affected citizens of compromised personal information. Their attitude reminds me of Lily Tomlin’s character Ernestine as an AT&T operator back when AT&T had a monopoly: “We don’t care. We don’t have to. We’re the phone company.”
Congresswoman Diane Black, a Tennessee Republican, is fed up with the obfuscation and evasion surrounding HealthCare.gov. She has introduced the “Federal Data Breach Notification Act,” which would require that the Federal Trade Commission notify anyone whose personal information has been jeopardized. “The federal government imposes these same rules on the private sector, yet they have gone out of their way to avoid imposing this basic diligence on their own Obamacare exchange,” she told me.
If the House and Senate have any basic concern for the privacy rights of Americans, they will catapult her bill onto President Obama’s desk ASAP. It is horrible news that Target’s security vulnerabilities allowed hackers to filch the names and personal information of customers. But it will be even worse if the federal government can continue to keep people in the dark about its own security breaches, leaving many Americans with big, fat targets on their backs for identity thieves.
— John Fund is a national-affairs columnist for National Review Online.