Health Exchange Security and Transparency Act

January 6, 2014

Americans Deserve To Know When Obamacare Has Put Their Personal Information At Risk

  • The Health Exchange Security and Transparency Act requires HHS to notify individuals if their personal information has been stolen or unlawfully accessed through an Obamacare exchange. This notification must occur no later than two business days after discovery by the Secretary. 
  • While the administration claims it will notify individuals in case of a breach, this notification should be required by law if an individual’s personally identifiable information is compromised. 
  • Congressional oversight has uncovered facts that raise serious concerns regarding the security of the law’s exchanges.
  • We have learned that the Department of Health and Human Services did not perform a full Security Control Assessment  before the website went live on October 1st. Why? Because you cannot test something that is not complete, and the health exchanges are still not fully built.
  • Failure to conduct adequate end-to-end security testing also led officials to write CMS Administrator Tavenner, “From a security perspective, the aspects of the system that were not tested due to the ongoing development, exposed a level of uncertainty that can be deemed as a high risk…”
  • CMS’s Chief Information Security Officer, Teresa Fryer, stated in a draft memo that the federal exchange “does not reasonably meet ... security requirements” and that “there is also no confidence that Personal Identifiable Information (PII) will be protected.”
  • Experts at Experian recently wrote that the “healthcare industry, by far, will be the most susceptible to publicly disclosed and widely scrutinized data breaches in 2014.” This prediction was based in part on reports of security risks posed by the HealthCare.gov website and the health insurance exchanges established by various states since the health care law’s infrastructure was “put together too quickly and haphazardly.”
  • These facts, on top of the fact that the administration has repeatedly misrepresented the functionality and readiness of the health law, raise serious questions regarding the security of personal information on HealthCare.gov.

###