EXECUTIVE SUMMARY:

On Friday, The Centers for Medicare and Medicaid Services (CMS) announced new findings relating to an October data breach targeting the healthcare.gov portal. While no financial account details or diagnostic information were stolen, other sensitive personally identifiable information (PII) was accessed.

Currently it is estimated that about 75,000 people are affected by this data breach. However, as has been a trend with data breaches, that number could change.

CMS started calling those affected on November 5, followed by a letter explaining what happened. While it’s unclear how cyberattackers were able to hack into the records, CMS spotted irregularities that raised a flag. “On October 16, 2018, we found that a number of agent and broker accounts engaged in excessive searching for consumers, and through those searches, had access to the personal information of people who are listed on Marketplace applications.”

According to Gizmodo, the Direct Enrollment system, which Americans use to enroll in healthcare plans under the Affordable Care Act, was the primary target of the October breach. “The affected portal is used by insurance agents and brokers to help Americans in the process of signing up for health coverage,” explains Gizmodo.

CMS says that it shut down the agent and broker arm of the portal while changes were implemented, to beef up security.

Below is a list of the types of data that CMS believes was compromised, as outlined in its letter:

 Name, date of birth, address, sex, and the last four digits of the Social Security number (SSN), if SSN was provided on the application;
 Other information provided on the application, including expected income, tax filing status, family relationships, whether the applicant is a citizen or an immigrant, immigration document types and numbers, employer name, whether the applicant was pregnant, and whether the applicant already had health insurance;
 Information provided by other federal agencies and data sources to confirm the information provided on the application, and whether the Marketplace asked the applicant for documents or explanations;
 The results of the application, including whether the applicant was eligible to enroll in a qualified health plan (QHP), and if eligible, the tax credit amount; and
 If the applicant enrolled, the name of the insurance plan, the premium, and dates of coverage.

This type of information adds to the already rich supply of personally identifiable details that are out in the wild. As Cyber Talk reported a couple of weeks ago, there’s a ripple effect when sensitive data is exposed. The more information that becomes available to cybercriminals, the easier it is to add color and detail to the profiles they are building in their identity theft efforts.

Considering that 81.5 million voter records are for sale on the dark web along with logins for millions of Facebook users, the exposure of sensitive details from the healthcare.gov portal becomes even more worrisome. Organizations from private and public sectors need to think about the harm caused to the individuals they serve. Offering free identity theft insurance to those affected is not enough. Organizations need to implement solutions that prevent data breaches, and adopt a rigorous cybersecurity mindset throughout the organization.