The Centers for Medicaid and Medicaid Services is continuing to work with law enforcement to investigate a breach of Healthcare.gov discovered on October 16 that could have affected 93,689 consumers, an increase from the 75,000 originally estimated, CMS said Tuesday.
CMS has notified individuals whose personal information was exposed.
THE IMPACT
In a November 7 letter to those affected, CMS said it didn’t know whether any of the information was actually assessed or misused. However, because the breach involved sensitive information, including partial Social Security numbers, there could be a risk of identity theft, CMS said.
The incident involved personal information that was stored by the health insurance marketplace on Healthcare.gov, CMS said. Licensed insurance agents and brokers search for consumers who have an application stored there. But a number of agents and brokers engaged in “excessive searching,” CMS said.
THE TREND
The breach was discovered less than two weeks before open enrollment began on November 1.
Healthcare organizations are attractive and frequent targets for cyber attackers, such as the Anthem breach that exposed the protected health information of an estimated 79 million members.
Anthem paid $ 16 million in a record HIPAA settlement, to the Department of Health and Human Services, Office for Civil Rights.
WHAT ELSE YOU NEED TO KNOW
Healthcare.gov applications include name, date of birth, address, sex and the last four digits of the person’s Social Security number. Other information provided includes expected income, tax filing status, family relationships, an employer’s name and immigration documents, if applicable.
The information does not include bank account numbers, credit card numbers, diagnosis or treatment information, CMS said.
CMS has reached out to all affected consumers by phone and has mailed notification letters to offer free credit protection. The agency is offering additional services such as identity monitoring, identity theft insurance and identity restoration services.
Since the breach, CMS has been putting additional security measures in place to make sure Healthcare.gov and the marketplace processes are safe and all consumer information is protected.
ON THE RECORD
“On October 16, 2018, we found that a number of agent and broker accounts engaged in excessive searching for consumers, and through those searches, had access to the personal information of people who are listed on marketplace applications,” CMS said in the letter. “We immediately shut off these agent and broker accounts, and also shut off the entire agent and broker function while changes were made to improve security.”
Twitter: @SusanJMorse
Email the writer: susan.morse@himssmedia.com