This week, the Centers for Medicare and Medicaid (CMS) has announced an update on the recent HealthCare.gov website breach. Last month, hackers gained access to a health insurance system that interacts with the HealthCare.gov website. At the time, it was estimated that the attackers accessed files containing the sensitive information of approximately 75,000 individuals.
In the update released this week, the CMS confirming more people had been affected than was initially thought. The revised estimate has seen the number of breach victims increased to 93,689.
The initial breach announcement issued soon after the attack was discovered contained very few details about the exact nature of the breach and the types of information that had potentially been compromised. In the initial announcement the CMS explained that suspicious activity was detected on the site on October 13 and on October 16 a breach was confirmed. Steps were immediately taken to secure the site and prevent any further data access or data theft. At the time, CMS announced that the total number of files that were potentially compromised in the attack were only a small percentage of the number of files held on the system, and the majority of files remained secure.
In accordance with HIPAA’s Breach Notification Rule, the CMS sent out breach notification letters on November 7 to those affected by the breach. The letters contained details about the breach, including types of information that were potentially accessed and information about their response to the attack.
In the letter, CMS explained that the ‘suspicious activity’ it detected was certain agent and broker accounts conducting an unnatural number of searches to find consumer information. Those searches returned results that contained the personal information of people detailed in Marketplace applications.
The compromised agent and broker accounts were rapidly deactivated and the Direct Enrollment pathway for agents and brokers was temporarily deactivated while the system was secured. The Direct Enrollment pathway was brought back online on October 26, once it was confirmed that the system was secure again.
The CMS has now confirmed that an extensive range of sensitive information has potentially been accessed and stolen by the hackers, which may have included the following data elements:
- Name
- Date of birth
- Address
- Sex
- Last four digits of Social Security number (SSN) – if provided on applications
- Expected income
- Tax filing status
- Family relationships
- Citizen or immigrant status
- Immigration document types and numbers
- Employer name(s)
- Pregnancy status
- Whether the individual has health insurance
- Information provided by other federal agencies and data sources to confirm application information
- Whether the Marketplace asked the applicant for documents or explanations
- Application result
- Tax credit amounts
- If an applicant enrolled, the name of the insurance plan, premium, and coverage dates
The CMS was unable confirm whether any personal information was stolen by the hackers and used for malicious purposes. As those affected by security breaches such as this have a higher risk of being a victim of identity theft, individuals whose personal information has been exposed have been offered free identity theft protection services. It is recommended that everybody remain vigilant, and report any suspicious activity on their accounts to the relevant authority.
The investigation is still ongoing. The CMS has taken steps to implement additional security measures and update their security policies to prevent any further breaches.
The HealthCare.gov website has been subject to hundreds of cybersecurity attacks since its launch in October 2013. Audits by government watchdog agencies, including the Government Accountability Office (GAO) identified a slew of vulnerabilities and confirmed that there had been 316 security incidents involving the website and its supporting systems between October 2013 and March 2015 alone.
While none of those incidents resulted in sensitive data being compromised, GAO did identify a number of security weaknesses in the technical controls used to protect data, the frequency of patching, encryption, auditing, monitoring, boundary protections, and identification and authentication which placed data at risk.
In the case of the most recent incident, it is still unclear how the hackers gained access to login credentials and whether any of the GAO-identified weaknesses were exploited.
More updates will be issued in the coming months.