The personal data of millions of Americans who signed on with the Affordable Care Act (ACA) for health insurance was still at risk due to poor security practices at Healthcare.gov even after the agency said the issues were fixed, a federal audit found.
The The Health and Human Services (HHS) Inspector General Inspector General (IG) said the genesis of this audit was to “to assess whether CMS (Centers for Medicare and Medicaid Services) had implemented information security controls to secure the PII related to the Multidimensional Insurance Data Analytics System (MIDAS) and a certain number of its supporting databases.” MIDAS is the outside database that stores personally identifiable information for ACA members.
The HHS IG found that the CMS had still failed to check for basic security flaws that would have found the vulnerabilities on MIDAS, which houses customer data.This after the IG had issued a report last year on these and other security problems and that CMS had said were fixed.
Some of the problems the audit uncovered were password weakness, not encrypting user sessions, shared read-only account for access to the database with the personal information, and not disabling unnecessary generic accounts. In addition, the IG discovered 135 database vulnerabilities, 22 of which are considered high risk and 62 of medium risk.
No personal medical data was at risk or was breached. However, personal information such as names, Social Security numbers, addresses and employment information could have been accessed, the report stated.
“In written comments, CMS concurred with all of our recommendations. CMS reported that it remediated all vulnerabilities and addressed all findings we identified before we issued our final report. We have since reviewed the supporting documentation and verified CMS’s remediation,” the report concluded.