Centers for Medicare and Medicaid Services (CMS) experienced a data breach leading to exposure of highly sensitive personal data of nearly 75,000 people. The CMS is a government system linked with healthCare.gov which assists insurance agents and brokers in helping people register for its healthcare plans.
An announcement was made late Friday by the CMS to confirm the data breach but details about the stolen data and content haven’t been provided as yet. It is, however, confirmed that personal files of 75,000 people have been exposed to hackers.
The brokers and agents use the Federally Facilitated Exchange’s Direct Enrollment pathway to convince customers to enroll in health insurance. The pathway was compromised by the attackers between 13 Oct and 16 Oct 2018, confirmed CMS.
See: Medical records & patient-doctor recordings of thousands of people exposed
It was also revealed that the accounts of hackers have been deactivated and the tool used to breach the system has been disabled as a precautionary measure. It is worth noting that the website HealthCare.gov and the Marketplace Call Center are online and available while access to the pathway will be restored within a week.
According to Seema Verma, the CMS admin at the agency:
“HealthCare.gov and the Marketplace Call Center are still available, and open enrollment will not be negatively impacted. We are working to identify the individuals potentially impacted as quickly as possible so that we can notify them and provide resources such as credit protection.”
HealthCare.gov website is the main portal used to sign up for an insurance plan, which was originally launched by President Obama under the Affordable Care Act, the healthcare law. The behind-the-scenes system was targeted by hackers. Instead of the website, it is the Direct Enrollment pathway that is used by agents and brokers to help customer enroll in new plans directly.
See: Washington State Marijuana Tracking System Hacked to Steal Route Data
Understandably, people are asked to provide extensive personal information to sign up for healthcare plans. This includes their names, Social Security number, and addresses. Verma also confirmed that open enrollment in upcoming healthcare plans that will be starting from Nov 1 will remain unaffected and that the agency is trying to identify the affected individuals to offer credit protection.
This however is not the first time when healthCare.gov is making headlines for the wrong reasons. In 2015, the portal was found sharing personal sensitive data of patients with marketers.