Privacy concerns arose last week after news broke that Healthcare.gov is sending user information to private companies. Now, lawmakers are looking into the security implications of that information sharing.
Healthcare.gov is sharing user information — the extent of which is not certain, but at least includes age, income, ZIP code, smoking habits and pregnancy status, according to the Associated Press — with about 50 third-party companies without consumers’ knowledge.
Tuesday, the same day the Department of Health and Human Services celebrated the health insurance marketplaces reaching 9.5 million enrollees nationwide, a House Subcommittee on Research and Technology hearing focusing on cybersecurity took an unexpected turn when Rep. Dan Newhouse, R-Wash., addressed the website’s data-mining and its relation to information security.
Newhouse cited the AP story, questioning whether the presence of those companies “makes the website more vulnerable to attacks.”
There were no HHS or Centers for Medicare and Medicaid Services officials testifying at the Science Committee’s subpanel, so the answers Newhouse received from a pool of mostly cybersecurity experts were vague. But they did agree the data mining gives the website added risk.
“Certainly opening up the network, that would indicate that it would provide some additional vulnerability,” said Cheri McGuire, vice president of global government affairs and cybersecurity policy for Symantec Corp. Though she couldn’t speak to the specifics, she said, “I do find it surprising, though, that there are that many additive websites or technologies that are able to access the data.”
When asked about how Healthcare.gov’s actions are taken into account in the National Institute of Standards and Technology Cybersecurity Framework, Charles Romine, the director of NIST’s Information Technology Laboratory, couldn’t comment specifically, but he said the framework “does address privacy considerations in a more general context.”
Likewise, though Healthcare.gov is compliant with the Federal Information Security Management Act, Romine said it isn’t NIST’s job to make sure HHS and CMS are implementing the law properly.
“With regard to any specific agency, it’s really the CIO’s responsibility, with the inspector general, to follow up on ensuring the guidelines are met,” he said.
Healthcare.gov’s data sharing will become more than just a side note of the subcommittee cyber hearing. Republicans, who placed a target on the Affordable Care Act long before the website’s buggy launch in 2013, want answers.
Sens. Chuck Grassley, R-Iowa, and Orrin Hatch, R-Utah, penned a letter to CMS Administrator Marilyn Tavenner, who recently announced her intention to step down in February, immediately after the article was published.
“This new information is extremely concerning, not only because it violates the privacy of millions of Americans, but because it may potentially compromise their security,” Grassley and Hatch wrote. “Individuals should know that when they use Healthcare.gov their information is being properly protected.”
CMS responded to the attention, saying the decision to include third-party data sharing was meant to better serve customers.
“One of the most cost-effective and best ways to reach the uninsured is through digital media and advertising,” Kevin Counihan, CEO and director of the federal marketplace, wrote in a blog post. “To do this well, we have contracts with companies that help us to connect interested consumers to HealthCare.gov and continuously measure and improve site performance and our outreach efforts.”
Since the news broke, Counihan said CMS has added extra layers of encryption to protect window shoppers on the website. He said CMS would continue to review the site for privacy and security concerns.