GAO: Serious security concerns at state Obamacare exchanges

Think of all the information you supply an insurance company when you buy health insurance.  Now imagine that information in the hands of identity thieves – or worse.

The incompetent design of some Obamacare state exchanges has left consumers open to data theft, according to a GAO report.

The Hill:

A federal watchdog has found security flaws in state-run ObamaCare exchanges in California, Kentucky and Vermont, potentially putting millions of customers’ data at risk.

The three states were found to have cybersecurity weaknesses such as insufficient encryption and inadequate firewalls, according to a months-long study by the Government Accountability Office.

California’s system, known as Covered California, is the nation’s largest state-run exchange. Both California and Kentucky have been touted as a national model, though Vermont has had a documented history of issues with its exchange.

The GAO’s investigation was released in March, but without naming the states. That information was reported Thursday by the Associated Press, in response to a Freedom of Information Act request.

Federal officials said their findings in the investigation, which was initially limited to those three states, likely means that other states’ websites have faced similar cyber issues.

State officials in California and Kentucky told the AP that no breaches had been reported, while officials in Vermont declined to discuss the findings.

Vermont's non-response brings up an interesting question: would the feds or the states even bother to admit they had been hacked?  Legally, they are under no obligation to inform consumers if there is a breach.

National Review:

At that meeting, two commenters asked HHS to ensure the exchanges would promptly notify affected enrollees in the event of a data breach or unauthorized access to the exchange’s databases. One commenter suggested that a full investigation be launched each time such a breach occurred, with the goal of holding hackers legally and financially accountable for breaking into the website.

According to a report by the group Watchdog.org, HHS responded: “We do not plan to include the specific notification procedures in the final rule. Consistent with this approach, we do not include specific policies for investigation of data breaches in this final rule.” In other words, the government doesn’t have to tell you about a security breach unless it decides it wants to — despite the fact that private companies are required to publicly disclose any incidents. State laws also require many of the 14 state-run insurance exchanges to disclose such information, but no such law exists for the federally run exchange, which 36 states rely upon.

Some states require notification of consumers if there's a breach, but the feds are immune. 

I have far more confidence in a private insurance company protecting my personal information than I do any government entity connected with Obamacare.

Think of all the information you supply an insurance company when you buy health insurance.  Now imagine that information in the hands of identity thieves – or worse.

The incompetent design of some Obamacare state exchanges has left consumers open to data theft, according to a GAO report.

The Hill:

A federal watchdog has found security flaws in state-run ObamaCare exchanges in California, Kentucky and Vermont, potentially putting millions of customers’ data at risk.

The three states were found to have cybersecurity weaknesses such as insufficient encryption and inadequate firewalls, according to a months-long study by the Government Accountability Office.

California’s system, known as Covered California, is the nation’s largest state-run exchange. Both California and Kentucky have been touted as a national model, though Vermont has had a documented history of issues with its exchange.

The GAO’s investigation was released in March, but without naming the states. That information was reported Thursday by the Associated Press, in response to a Freedom of Information Act request.

Federal officials said their findings in the investigation, which was initially limited to those three states, likely means that other states’ websites have faced similar cyber issues.

State officials in California and Kentucky told the AP that no breaches had been reported, while officials in Vermont declined to discuss the findings.

Vermont's non-response brings up an interesting question: would the feds or the states even bother to admit they had been hacked?  Legally, they are under no obligation to inform consumers if there is a breach.

National Review:

At that meeting, two commenters asked HHS to ensure the exchanges would promptly notify affected enrollees in the event of a data breach or unauthorized access to the exchange’s databases. One commenter suggested that a full investigation be launched each time such a breach occurred, with the goal of holding hackers legally and financially accountable for breaking into the website.

According to a report by the group Watchdog.org, HHS responded: “We do not plan to include the specific notification procedures in the final rule. Consistent with this approach, we do not include specific policies for investigation of data breaches in this final rule.” In other words, the government doesn’t have to tell you about a security breach unless it decides it wants to — despite the fact that private companies are required to publicly disclose any incidents. State laws also require many of the 14 state-run insurance exchanges to disclose such information, but no such law exists for the federally run exchange, which 36 states rely upon.

Some states require notification of consumers if there's a breach, but the feds are immune. 

I have far more confidence in a private insurance company protecting my personal information than I do any government entity connected with Obamacare.