Personal data including immigration status and employment information were compromised in a breach of HealthCare.gov that affected people who applied for coverage under the Affordable Care Act, former President Barack Obama’s hallmark healthcare reform law, the Department of Health and Human Services said Friday.
The Centers for Medicare and Medicaid Services (CMS), the division of HHS responsible for running HealthCare.gov’s online application portal — designated the Marketplace — has begun notifying approximately 75,000 people affected by the previously disclosed data breach, officials announced in an update about the incident.
Names, birthdates, addresses and partial Social Security numbers were compromised in the breach, as well as a various other personal, employment and immigration information, CMS wrote in a letter sent to individuals listed on affected applications.
“We are continuing to investigate this breach and putting additional security measures in place to make sure HealthCare.gov and the Marketplace process are safe and all consumer information is protected,” the letter said. “Please be assured that all information will be protected during Open Enrollment.”
Quietly published on HealthCare.gov, Friday’s update provided details about the data breach three weeks after CMS first acknowledged that sensitive but unspecified information involving roughly 75,000 individuals had been exposed as a result of “anomalous system activity” detected earlier last month.
“On October 16, 2018, we found that a number of agent and broker accounts engaged in excessive searching for consumers, and through those searches, had access to the personal information of people who are listed on Marketplace applications,” victims learned in a letter sent this week.
“We immediately shut off these agent and broker accounts, and also shut off the entire agent and broker function while changes were made to improve security,” the letters said.
Prior to being resolved, the breach resulted in “inappropriate access,” according to CMS, of records exceeding basic contact information, however.
Other data contained on compromised applications included applicants’ “expected income, tax filing status, family relationships, whether the applicant is a citizen or an immigrant, immigration document types and numbers, employer name, whether the applicant was pregnant and whether the applicant already had health insurance,” the letters said.
Financial and medical diagnosis and treatment information were not compromised by the breach, according to the agency.
Officials did not specify how the agent and broker accounts were breached, nor if officials had identified any potential suspects.
Representatives for CMS did not immediately return a message seeking further details sent over the weekend.
Also known as “Obamacare,” the Affordable Care Act allows Americans to obtain health insurance by applying through the government’s online Marketplace.
Around 11.8 million consumers obtained coverage through the program during the 2018 open enrollment period, CMS said in April.
Open enrollment for 2019 began on Nov. 1