U.S. Rep. Tom Graves (R-GA-14) issued the following statement after he voted for, and the House passed, the Health Exchange Security and Transparency Act (H.R. 3811), a bill to require the Health and Human Services Department (HHS) to notify individuals if their personal information has been stolen or unlawfully accessed through an Obamacare exchange:
“The conduct of the Obama Administration, particularly over the past year, gives the public little hope that it will be forthcoming with information about Obamacare’s failures. Whether it’s the broken website or broken promises about keeping your plan or doctor, prying the full truth out of this Administration has proved to be very difficult.
“Given that track record, I strongly support this legislation to force HHS to be open and transparent about Obamacare security breaches. There are still major concerns about the security of the exchanges, with experts warning that millions could be at risk. People in the exchanges have a right to know if their personal information has been stolen.”
Specifically, H.R. 3811, which passed today by the bipartisan vote of 291-122, requires the Department of Health and Human Services to notify individuals, within two business days, of a breach of any security system maintained by a federal or state exchange that is known to have resulted in personally identifiable information being stolen or unlawfully accessed.
More background information on Obamacare exchange security concerns (courtesy of the House Energy and Commerce Committee):
- The Department of Health and Human Services did not perform a full Security Control Assessment before the website went live on October 1.
- Failure to conduct adequate end-to-end security testing also led officials to write CMS Administrator Tavenner, “From a security perspective, the aspects of the system that were not tested due to the ongoing development, exposed a level of uncertainty that can be deemed as a high risk…”
- CMS’s Chief Information Security Officer, Teresa Fryer, stated in a draft memo that the federal exchange “does not reasonably meet the CMS security requirements” and that “there is also no confidence that Personal Identifiable Information (PII) will be protected.”
- Experts at Experian recently wrote that the “healthcare industry, by far, will be the most susceptible to publicly disclosed and widely scrutinized data breaches in 2014.” InformationWeek reported: “[Vice President of breach resolution service at Experian, Michael] Bruemmer said he is basing this prediction at least partly on reports of security risks posted by the HealthCare.gov website and the health insurance exchanges established by various states. The web infrastructure to support health insurance reform was ‘put together too quickly and haphazardly.’… The organizational infrastructure behind the implementation of Obamacare is also complex, meaning that many parties have access to the personal data and could misuse or mishandle it. ‘So we have volume issues, security issues, multiple data handling points -- all generally not good things for protecting protected health information and personal identity information.’”