What’s the Word From Healthcare.gov? “Trust Us With Your Most Sensitive Data.”

Linda Musthaler
By | October 25, 2013

Posted in: Network Security Trends

Healthcare.gov, the website for the Affordable Care Act, has been in the news a lot this month. Ever since it was launched to the public on October 1, it has been riddled with performance problems. Administration officials have stated that the issues stem from the sheer complexity of a system that is being asked to do so much.

I’m not going to pile on with the criticisms of performance issues and what is rumored to be a dearth of quality assurance testing. In fact, I sympathize with the people who have been contracted to develop the system. They were given a mountainous task and too little time to do everything necessary to build and thoroughly test the infrastructure and the front-end web apps.

In testimony before the Congressional House Energy and Commerce Committee on October 24, a representative from CGI Federal, one of the main contractors developing the system said CGI’s portions of the website worked when tested individually, but did not work once integrated with the entire system.

That shouldn’t come as a surprise to anyone with an inkling of an understanding about technology. Healthcare.gov, in its entirety, is said to be comprised of 6 main systems that must interact with numerous government agencies, including the Centers for Medicare and Medicaid Services (CMS) and the Internal Revenue Service (IRS). It also must interact with outside third parties such as Experian, which verifies applicants’ incomes in order to calculate eligibility for discounts.

In short, there are a lot of moving parts to this massively complex system.

With all of the finger-pointing and the blame assessments of why the system isn’t working well, what is getting lost in the shuffle is the privacy and security of the extremely sensitive data that the system collects and processes. Have you seen what information the federal government wants – no, requires – from its citizens? Anyone using Healthcare.gov (or the paper-based, phone center or in-person equivalent application) must provide the following information:

  • Personal identifiers for each person on an application, including name, address, date of birth and social security number

  • Citizenship or immigration status

  • Current employer and income information

  • All income sources and amounts, including wages, unemployment, pension, Social Security, retirement accounts, alimony, rent/royalties

  • Current health coverage you may possess, such as Medicaid/Medicare, Veterans Administration, or private provider, along with your policy number


The paper-based application asks for all this data and then these words are printed on the form: “Thanks! This is all we need to know about you.” Really, that’s all? The form also tells you why all this information is necessary, and how it might be used:





  We need this information to check your eligibility for help paying for health coverage if you choose to apply. We’ll check your answers using information in our electronic databases and databases from the Internal Revenue Service (IRS), Social Security, the Department of Homeland Security, and/or a consumer reporting agency. If the information doesn’t match, we may ask you to send us proof.

If you do enter your information, you’d better be certain that it’s complete and true, because the government says applicants are “under penalty of perjury” for providing false information.

Of course, this is simply to enroll in the system. Once you are actually able to connect with health insurance providers, they will want to collect some of your very personal health information. Do you smoke? Are you pregnant? Do you have current conditions or illnesses? Have you ever had any of these 50 odd ailments or diseases, and so on.

Are you beginning to get the picture about the nature of the data we are being asked to surrender to this behemoth system that – by everyone’s admissions in testimony to Congress – doesn’t work like it is supposed to? Is anyone else concerned that this data might, just might, be compromised in some way as it is moved around from one system to another, from one agency to another, and from one third party vendor to another?

Not to get into the political nitpicking about the Affordable Care Act, but one news report stated the following:

















  Earlier in the hearing Rep. Joe Barton (R-Texas) suggested visitors to the website could not be guaranteed their personal privacy, but Democrats argued the site is compliant with so-called HIPPA medical privacy laws.

Oh, OK, it makes me feel much better that “the site is compliant” with HIPAA medical privacy laws. I guess our congressional representatives don’t understand that “compliant” isn’t the same thing as “secure.” The site can be compliant at any given moment in time but that won’t prevent data breaches of the extremely sensitive data this system will have on each and every applicant. This system is a data thief’s dream.

I worry for anyone who has to provide data to this system, not just now but in the years ahead. I cannot believe that every measure possible has been taken to ensure that all of this sensitive data will be fully secured and kept private as it moves around so much. The headlines today are about the website not working properly. How long will it be until the headlines talk about a data breach?














You May Also Be Interested In: