There is good news and bad news regarding Healthcare.gov. The good news is that despite the systemic failure infecting much of the site, there is one essential component — the federal data hub — that is working as it was designed. The data hub links federal-agency records together to determine whether an applicant for health insurance is eligible for subsidies. The bad news is that because the data hub is the largest consolidation of personal data in our nation’s history, it will become a magnet for identity thieves.
This isn’t idle speculation or fearmongering. Michael Astrue, who was commissioner of Social Security until February of this year, issued this warning this week in The Weekly Standard:
[The Department of Health and Human Services] opened the door to large-scale fraud by providing funding for tens of thousands of “navigators” — people who are supposed to persuade the uninsured to apply for coverage and then assist them in the application process. Instead of hiring well-screened, well-trained, and well-supervised workers, HHS decided to build political support for the Affordable Care Act by pouring money into supportive organizations so they could launch poorly trained workers into their communities without obtaining criminal background checks or creating systems for monitoring their activities.
As a practical matter, these navigators are unaccountable, and yet they will be asking people for Social Security numbers and other sensitive information. It will not take long for navigators to become predators, and HHS has no plan to deal with the new breed of predators it is creating.
Warning signs are already cropping up.
Thirteen state attorneys general sent a letter in August to HHS secretary Kathleen Sebelius warning her that the training and safeguards against identity theft by federally funded navigators may be inadequate.
More than 700 “cyber-squatter” websites with similar domain names have been created to siphon off some of the public traffic meant for Healthcare.gov. Some sites direct people to fill out an “Obamacare enrollment form,” even though they actually offer no insurance. A retired cybersecurity expert told the Washington Examiner that cyber-squatters generally drain 10 percent to 40 percent of a website’s traffic and that Obamacare sites may be on the high end of that range, given how many squatters it has attracted.
There will also be inevitable unauthorized releases of information. Minnesota’s health-care exchange inadvertently revealed the Social Security numbers of 2,000 state residents before its website even went up on October 1.
There is no federal requirement for background checks on navigators. It shouldn’t surprise anyone then that some people have found a way to form new “navigator” groups out of the ruins of ACORN, the notoriously corrupt left-wing “community organizing” group that saw dozens of its employees in multiple states convicted of fraud before and after the 2008 election. Fox News reported this month that the United Labor Unions Council Local 100 “was created by ACORN founder Wade Rathke after ACORN went bankrupt amidst widespread scandal.” The new group, which was reconstituted from old ACORN affiliates, has been accepted as part of the navigator program in several states.
“There is a real danger that Obamacare ‘navigators’ will harvest the data of applicants and use it outside of the context of the health exchanges,” says Bruce Webster, a leading IT consultant to private companies. “They couldn’t care less what plans you qualify for — but with sufficient personal information, they stand a much better chance of committing traditional identity theft on you. Or they might simply sell that information to those who will commit the actual identity theft.”
Concerns about the navigators prompted Representatives Diane Black (R., Tenn.) and Pat Meehan (R., Pa.), a former prosecutor, to write the HHS inspector general asking for a copy of the Security Control Assessment that HHS has filed with the inspector general. “We need to know what tests were performed, who did they consult with, what safeguards are in place to protect against cybersecurity attacks,” Black told me. Not surprisingly, the Obama administration has been less than forthcoming on all those issues.
Back in July (“Obama’s Branch of the NSA,” July 22), I warned that the navigators were a largely unsupervised and unregulated element of Obamacare that raised serious privacy concerns. I quoted Representative Paul Ryan, chairman of the House Budget Committee, as saying, “Giving community organizers access to the federal data hub is bad policy and potentially a danger to civil liberties.”
Everything we’ve learned about the health-care exchanges and Healthcare.gov should only heighten those concerns. Perhaps the reason we haven’t seen serious problems yet is that so few people can use the website to date. But once they do, it will be open to people genuinely looking for health insurance as well as to unscrupulous hucksters, and it may take some time for us to pry out of the Obama administration just how much the health-care exchanges could put the privacy of Americans at risk.
— John Fund is national-affairs columnist for National Review Online.