- Associated Press - Tuesday, February 25, 2014

SACRAMENTO, Calif. (AP) - More than three months after it opened for business, California’s online health insurance marketplace had what federal officials described as a potential security flaw in its computer system and one that had already been disclosed publicly.

The concern is noted in a Jan. 10 email between officials with the federal Centers for Medicare and Medicaid Services, the agency that oversaw development of the online exchanges.

“CMS is now aware of a vulnerability with the CA exchange that has not been fixed and a reference to the weakness is posted in the public domain,” said the message sent last month from Tom Schankweiler, the agency’s marketplace information security officer.

The agency said it contacted Covered California, as the state marketplace is called, and learned that the state was already aware of the issue and was addressing it. There is no indication that any consumer information has been compromised.

“That simply has not happened,” said Dana Howard, a spokesman for Covered California.

The exchange’s computer system is monitored around the clock, and any security concerns are addressed as soon as they are spotted, Howard said. He described any problems encountered to date as “computer processing errors” that have been fixed.

“We certainly don’t have a security vulnerability, and we don’t have anything that’s publicly posted,” Howard said Tuesday.

The email from the Centers for Medicare and Medicaid Services official was contained in a batch of documents provided to Washington, D.C., bureau of The Associated Press. They show that more than two-thirds of the states tapping into federal computers to verify personal information were considered “high risk” for security problems immediately before or shortly after the Oct. 1 launch of the health insurance marketplaces.

At issue is the system allowing states to connect to a federal government information hub that helps determine whether people are eligible to buy insurance on the exchanges and whether they are eligible for a government subsidy. Among other things, connecting to the hub allows states to verify consumers’ income, citizenship and immigration status.

A state must go through a number of steps before it is allowed to connect to the federal data hub, including completing security checks and a risk assessment.

Because California was addressing its security concern appropriately, the Centers for Medicare and Medicaid Services, which runs the data hub, decided not to sever the state’s connection, the agency said in a written response to the AP.

The security concern noted by the federal government is just the latest glitch for the health insurance exchange in California, which is one of 14 states operating their own insurance marketplaces under the federal Affordable Care Act. The rest are operating under a federally run exchange.

The enrollment portion of the Covered California website came back up Monday after being taken down last Wednesday because of what the exchange described as a software malfunction. The problem arose Feb. 16 as technicians were updating the system, Howard said. The updates caused the enrollment portion to stall when consumers got partway through the process, forcing them to start over.

That problem is now fixed, Howard said.

Earlier, an error-prone directory of medical providers was removed from the website, and the online portal to help small businesses sign up for coverage was taken down. Covered California plans to have the provider directory back up by the time the next round of open enrollment begins in October and the small business portal running sometime next year.

Story Continues →