The Obama administration took on more security risks than it should have when it launched the federal Obamacare exchange last fall, government investigators said Wednesday.
The Government Accountability Office said officials at the Centers for Medicare and Medicaid Services did take steps to protect personal data on the complex new system. Among other efforts, its employees took privacy training and they had a breach response plan.
“However, a system with this degree of complexity and involving such a sizeable number of interconnections can pose many security and privacy risks,” it said. “CMS did not take all reasonable steps to limit those risks.”
CMS officials told the GAO that no one person was responsible for security controls across the federal exchange system, and it has not developed an alternate processing site to minimize service disruptions.
Investigators also said the agency did not finish testing each component of the exchange system before it approved its Oct. 1 launch, and was too willing to let states connect to a central data hub before they crossed off every item on a security checklist.
The report is among several reviews the GAO will perform to assist Congress in its oversight of the health care law.
This edition did not outline any breaches to the system or serious concerns that personal information was in imminent danger. Yet its warnings about security protocols will provide fuel to Obamacare’s opponents, who say the system is not fully secure and puts personally identifiable information at risk.
“Until it addresses shortcomings in both the technical security controls and its information security program, CMS is exposing Healthcare.gov-related data and its supporting systems to significant risks of unauthorized access, use, disclosure, modification, and disruption,” the report said.
A hacker broke into a part of the HealthCare.gov site in July and uploaded malicious software, according to the Wall Street Journal, although officials said the hacker did not gain access to personal data or enter sensitive parts of the system.
For its part, HHS said the privacy and security of consumers’ personal information are a “top priority” for the agency.
“CMS developed the marketplace systems consistent with federal statutes, guidelines, and industry standards that help ensure the security, privacy, and integrity of the systems and the data that flow through them,” the agency told GAO.
Obamacare established web-based health exchanges for each of the states and the District of Columbia, so that people could shop for private plans with the help of government subsidies or see if they qualify for Medicaid. About three dozen states relied on the federal exchange, HealthCare.gov, while the others set up their own portals.
The system linked into a federal data hub that cross-checked enrollees’ personal data, such as immigration status and household income, with several federal agencies.
GAO said four states — Mississippi, Oklahoma, Utah and West Virginia — had not resolved shortcomings in their plans to connect securely to the federal data hub.
Instead of denying the states, CMS accepted the risks and gave the states an interim 60-day authorization to connect, the report said.
An official told GAO that the administration did not deny access to any states “because CMS officials deemed it critically important that all states be able to connect to Healthcare.gov if they sought to do so.”
The report says the decision to proceed did not result in any breaches and each of the states later obtained the three-year authorization that fully compliant states had received.
Administration officials told the GAO that the data hub works as a pass-through of sorts and does not retain personal data on permanent storage devices. CMS disagreed with the investigators’ finding that it took on excessive risk by letting certain states hook into the hub.