CMS on Friday announced the agency last week detected that hackers had breached part of HealthCare.gov, the federal government's online Affordable Care Act (ACA) exchange, compromising the about 75,000 consumer files, the Wall Street Journal reports.
Experts have raised concerns over HealthCare.gov's security since it launched in 2013. Former President Barack Obama's administration in 2014 said hackers had breached HealthCare.gov, but consumers' personal information had not been compromised. HHS' Office of Inspector General in a 2015 report said HealthCare.gov had fundamental security risks.
Details on the latest breach
CMS said early last week it detected suspicious activity on HealthCare.gov's Direct Enrollment Pathway, which is a system that allows agents and brokers to help consumers with their health plan enrollment applications.
CMS said it immediately took measures to secure HealthCare.gov's systems and informed federal law enforcement of the suspicious activity. CMS said it launched an initial investigation into the incident on Oct. 13 and declared the case a breach on Oct. 16. CMS said it deactivated the agent and broker accounts associated with the data breach and disabled the Direct Enrollment Pathway system. CMS estimated about 75,000 consumer files were affected by the breach, though, according to Fortune, it is not yet clear what type of data might have been accessed.
CMS said it is implementing new security measures to address the issue and is aiming to restore the Direct Enrollment Pathway this week. CMS said it "is in the beginning stages" of assessing the breach, adding, "This is an evolving situation and we will continue to provide additional information."
CMS said other channels within HealthCare.gov remain open.
CMS Administrator Seema Verma said, "I want to make clear to the public that Healthcare.gov and the marketplace call center are still available, and open enrollment will not be negatively impacted." The ACA's upcoming open enrollment period is scheduled to begin Nov. 1 and end Dec. 15.
Verma added, "We are working to identify the individuals potentially impacted as quickly as possible so that we can notify them and provide resources such as credit protection" (Armour, Wall Street Journal, 10/19; Alonso-Zaldivar, AP/Time, 10/20; Gallucci, Fortune, 10/20; Lotven, Inside Health Policy, 10/19 [subscription required]; CMS release, 10/19).
Learn more: How should your organization prepare and respond to breaches?
Want to learn more about what you should be doing in your role? Check out our new cybersecurity cheat sheet series which outlines what executives in every role should be doing—and the key questions they should be asking—to help their organizations stay secure.
Then, register to join us on October 30th from 3:00-4:00 pm ET to learn about how leading organizations have engaged their executive leaders in cybersecurity efforts.