health insurance-computer key_493635611Government audits continue to reveal that millions of people’s personally identifiable information is at risk. Continuous audit reports by the Office of the Inspector General (OIG) of The Department of Health and Human Services (HHS) reveal that online health care insurance exchanges could be the next juicy target for hackers looking for consumers’ personal information. To date, the OIG has identified security vulnerabilities in the federal exchange, and in the state exchanges in California, Kentucky, and New Mexico. While all the audited entities have begun the necessary bulwarking of their exchanges, there is room for improvement.

The health care exchanges are online marketplaces for subsidized insurance set up as part of the Affordable Care Act (ACA). The ACA gives each of the states the option to utilize the federal exchange or build their own. Although there is a unique interface to each of the exchanges in the 12 states that have built their own, they all allow consumers to input biographical information to determine coverage and compare rates. These data include names, dates of birth, social security numbers, citizenship statuses, passport numbers, financial information, employment information, and incarceration histories. The OIG found that the audited exchanges fail to comply with federal security requirements and thus create the potential for hundreds of millions of users’ personal information to be compromised. The detected vulnerabilities include bugs, un-encrypted user sessions, inadequate authentication, and inadequate password protection. Some exchanges – both federal and state – have already been targeted by overseas hackers. The Government Accountability Office (GAO) is expected to release a report later this year detailing multiple cybersecurity incidents involving the federal exchange.

The rules for health care exchange cybersecurity are promulgated by the Centers for Medicare and Medicaid Services (CMS). The rules state, “PII [personally identifiable information] should be protected with reasonable operational, administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure.” CMS has issued guidance for state exchange security, listing several critical controls, including malware protection, data loss prevention, controlled use of administrative privileges, data recovery capability, and penetration tests.

In its audits, The OIG measured the exchanges’ security against the CMS rules and guidance, as well as against other federal laws such as the Health Insurance Portability and Accountability Act (HIPAA). True to its word, the OIG has conducted additional audits on the federal and state exchanges, and has discovered faults in other technical areas such as the eligibility verification process. Following the Feds’ lead, state auditors are also uncovering cybersecurity weaknesses in the exchanges.

If an exchange is targeted in a cyberattack, it is unclear whether consumers would be notified if their information were stolen (with the exception of exchanges where HIPAA or state law corollaries apply, as these laws dictate specific notification procedures). While many states have laws in place that specify protocols for consumer notification, the federal government has no obligation to inform consumers if their personal information is stolen.

While there are no clear indications that consumer data has been stolen from the exchanges as of yet, observers will not know for certain until the GAO releases its forthcoming 2015 report. In the meantime, the exchanges remain tantalizing targets for hackers.