Upon learning that their credit card information might have been compromised, many of the nation's 40 million Target shoppers took action by cancelling their cards or contacting their banks and credit card companies. Unfortunately, people do not have the same option if their personal information is hacked at the Obamacare website.
"The difference is that Target notified consumers when a breach occurred, but the scary part here is that [Obamacare] consumers are not necessarily going to be told that their personal information has been breached," says Tom Flanigan, press secretary for Republican Rep. Diane Black of Tennessee.
"No one is forced to shop at Target, but they are forced to participate in the exchanges and to input very personal health information," Flanigan tells Newsmax.
Alarmed by ongoing reports of security lapses, Black has introduced the Federal Exchange Data Breach Notification Act of 2013, which would require the federal government to notify individuals if their personal information has been exposed or compromised.
In a statement announcing the measure, Black said her concerns have grown as tech experts "repeatedly raised red flags about the security of the information people are putting into the [Obamacare] exchanges."
"Americans deserve this basic notice so that they can protect themselves from cyber-attacks and identity theft. Most state-run exchanges are subject to laws that guarantee this notice, and the federal government imposes these same rules on the private sector, yet they have gone out of their way to avoid imposing this basic diligence on their own Obamacare exchange," Black said.
The Obama administration and Health and Human Services Secretary Kathleen Sebelius have publicly boasted about the improvements in the efficiency of Healthcare.gov, but the progress report issued at the beginning of December by the Centers for Medicaid and Medicare Services (CMS) contained no references to fixes to the widely reported security gaps on the website.
"There is an astonishing lack of required accountability for the federal government, regardless of whether the breaches are accidental, as most seem to have been, or intentional. This was an issue that was raised when HHS was putting together rules for the exchange, but they decided they were not going to do that," Eric Boehm of Watchdog.org tells Newsmax.
As Boehm noted in a recent article, there was a proposal offered to strengthen security measures prior to approval of the final rules for the exchanges were approved on March 27.
In that meeting, two individuals suggested taking steps to "ensure the exchanges would promptly notify affected enrollees in the event of a data breach or unauthorized access to the exchange's databases," Boehm wrote.
HHS responded that they had no plans "to include the specific notification procedures in the final rule. Consistent with this approach, we do not include specific policies for investigation of data breaches in this final rule."
In order to remedy the situation, Boehm says, HHS would have to devise and implement a specific department policy requiring disclosure to consumers of breaches, or an act of Congress.
Flanigan tells Newsmax that Black will be "pushing really hard with leadership" to move the bill forward after the Christmas break.
The importance of addressing the security risks was underscored by David Kennedy, a cyber-security expert, who told CNBC that while the website may be functioning more efficiently, adequate security fixes have not been made.
"You're trying to rush to keep the website — the front-end that we see every day — up-and-running. Unfortunately when you do that and you don't do any testing around that, you introduce new exposures," said Kennedy on SquawkBox.
According to a report released by TrustedSec, the average number of hacking events per at one International Fortune 500 company was 232 attacks a day during 2012, but the report noted the company had a "much smaller footprint and profile, and less publicity than the healthcare.gov website."
"Additionally, basic reconnaissance was performed on the Healthcare.gov website, and it appears that there are little to no preventative measures in place to stop attackers from hitting the website continuously, nor detect attackers," said the report.
In interviews conducted with HHS officials, the House Oversight and Government Reform Committee learned that since the October 1 launch of Healthcare.gov, at least two "high findings"
Also since October, there have been numerous reports of security breaches on state exchanges, including:
- On Minnesota's exchange, MNsure, an unencrypted file was inadvertently sent to the wrong individual. Up to 2,400 people had their private health information placed at risk when an employee with the exchange accidently sent information included in an Excel document to insurance broker Jim Koester.
- Koester told The Minnesota Star Tribune said he was not immediately concerned but "the more I thought about it, the more troubled I was. What if this had fallen into the wrong hands? It's scary. If this is happening now, how can clients of MNsure be confident their data is safe?"
- In November, the Oregonian reported that Cover Oregon officials committed three personal data breaches in three days. The cause of the problem apparently involved the processing of the paperwork, which included the use of a shared printer to print out individual claims. Cover Oregon is only processing paper applications because the exchange website is not able to enroll people yet.
- Justin Hadley, who logged on to the North Carolina exchange to determine his eligibility, received information about two separate individuals from South Carolina.
© 2021 Newsmax. All rights reserved.