Politics & Policy

Covered California’s E-mail Insecurity

The personal information of hundreds of Obamacare enrollees was jeopardized.

Covered California jeopardized the personal-identification information of at least 378 Obamacare enrollees, according to records reviewed by National Review Online. In most of these instances, navigators sent consumers’ confidential data to Covered California representatives using an “email [that] was not encrypted or otherwise secure,” violation notices stated — a direct violation of the health exchange’s policy.

Dana Howard, a spokesman for the health exchange, says “there is no indication [that consumers’ personal-identification information] was compromised,” adding that these violations constitute “a very minimal risk.” But cyber-security experts contacted by NRO expressed significant concerns.

At least seven times, navigators sent Social Security numbers insecurely. Furthermore, though the personal data sent through unencrypted e-mail varied by incident, information sent insecurely included driver’s-license numbers, immigration-document numbers, household income, employment information, health conditions, home addresses and phone numbers, birth dates, eye and hair color, and weight, to name a few examples.

Michael Gregg, a cyber-security expert who has testified before Congress about risks at Healthcare.gov, tells NRO that personal information should never be sent unencrypted because there’s a risk of unauthorized access. “Would you write your Social Security number on a postcard and drop it off at the post office?” Gregg asked. “I wouldn’t. Think of e-mail as a postcard. Anything written on the back of a postcard can be read by anyone, e-mail is basically the same.”

Covered California’s spokesman objected to the postcard analogy, calling it “inaccurate.”

Gregg continued: “E-mail is clear text; so in transit, e-mail can be intercepted and the contents disclosed to hackers or other unauthorized persons. It’s easy to do, and if the individual is checking their mail on an open WiFi connection, at a hotel, coffee shop, etc., it’s very easy.” Even if an unencrypted message reaches its intended recipient, breaches can still occur, because that data is often retained in e-mail systems, computers, smartphones, or tablets, he said.

According to Covered California records, one navigator told a security consultant that she was conducting enrollments over the phone and receiving and transmitting paperwork by e-mail because she had no office for Covered California work.

William Nolte, a public-policy expert at the University of Maryland’s Cybersecurity Center, tells NRO that when private personal information is sent by e-mail, the technical risk is “extremely high — it’s negligently high,” even if it’s somewhat unlikely a bad actor will stumble across the opening and exploit it.

The ability to access an insecure e-mail is “within the technical capabilities of God knows how many thousands of people,” Nolte says. “You don’t have to have a lot of skill. Now, the odds that any individual is going to get his identity stolen or in some other way be harmed: You can say that in an actuarial sense, it’s pretty low. But I don’t think that excuses the authority or contractor. I don’t think they’re being diligent in protecting the information.”

When Covered California learns of information sent insecurely, it informs the navigator grantee of the violation. That organization’s primary contact is asked to review and sign Covered California’s privacy- and security-training manual and to ensure that all navigators “immediately cease and desist from sending [personally identifying information] via unsecure methods,” according to several such letters reviewed by NRO.

One navigator was linked to at least nine incidents where confidential consumer information was sent unsafely. But to date, Covered California has not fired any navigators for violating its privacy and security policies, Howard says, because “this is a policy, it’s not a requirement,” and because “this is just a very small likelihood of anything taking place, of any identifiable information being compromised.”

But Nolte says that even if the odds were minimal, it’s still bad practice. “You have a fiduciary responsibility with that information, and you protect that,” he says. “It seems to me that in doing this — I don’t care if it’s 1 percent of [Covered California] employees who do it or 2 percent, or 300 cases or 8,000 — it’s irresponsible, and there’s no other word for it.”

— Jillian Kay Melchior is a Thomas L. Rhodes Fellow for the Franklin Center for Government and Public Integrity. She is also a Senior Fellow at the Independent Women’s Forum.

Most Popular

U.S.

Systemic Racism? Make Them Prove It.

I  worked in the criminal-justice system for a quarter century. It is run, day-to-day, by the crème de la crème of graduates from America’s top law schools. Those institutions wear their progressive bona fides on their sleeves and proclaim it for all the world to hear. In their offhand rhetoric — ... Read More
U.S.

Systemic Racism? Make Them Prove It.

I  worked in the criminal-justice system for a quarter century. It is run, day-to-day, by the crème de la crème of graduates from America’s top law schools. Those institutions wear their progressive bona fides on their sleeves and proclaim it for all the world to hear. In their offhand rhetoric — ... Read More

The Secret Life of Joe Biden

In a classic episode of Seinfeld, Jerry is accused by his new girlfriend, a police officer, of being a fan of the tacky 1990s soap opera Melrose Place. When Jerry lies and denies it, she suggests putting him on a polygraph to find the truth. In an effort to beat the machine, Jerry seeks the advice of his ... Read More

The Secret Life of Joe Biden

In a classic episode of Seinfeld, Jerry is accused by his new girlfriend, a police officer, of being a fan of the tacky 1990s soap opera Melrose Place. When Jerry lies and denies it, she suggests putting him on a polygraph to find the truth. In an effort to beat the machine, Jerry seeks the advice of his ... Read More
Law & the Courts

Replacing Ginsburg

While we did not agree with many of Justice Ruth Bader Ginsburg’s views about the Constitution or the judicial function, we never doubted her industry, dedication, gumption, civility, or patriotism. We send our condolences to all who mourn her passing. Justice Ginsburg almost certainly had more fans than any ... Read More
Law & the Courts

Replacing Ginsburg

While we did not agree with many of Justice Ruth Bader Ginsburg’s views about the Constitution or the judicial function, we never doubted her industry, dedication, gumption, civility, or patriotism. We send our condolences to all who mourn her passing. Justice Ginsburg almost certainly had more fans than any ... Read More

Snobs or Mobs?

A   lot of us were feeling pretty good about the future of the media in late September of 2004. Dan Rather and the CBS news division had just tried to derail George W. Bush’s reelection campaign with some genuine fake news — based on fake documents — and, in spite of the manful attempts of ... Read More

Snobs or Mobs?

A   lot of us were feeling pretty good about the future of the media in late September of 2004. Dan Rather and the CBS news division had just tried to derail George W. Bush’s reelection campaign with some genuine fake news — based on fake documents — and, in spite of the manful attempts of ... Read More