A data breach at Equifax involving 143 million people did not include information about consumers that purchased health insurance on the Affordable Care Act marketplaces, according to the Department of Health and Human Services.
The credit bureau holds a $329 million contract with HHS to verify incomes of individuals buying insurance on the exchanges, but an HHS spokesperson told Bloomberg that data was not compromised in the massive data breach.
The news outlet reported that Equifax is the only credit bureau working for HHS. The five-year contract ends in March.
The company is facing investigations from federal and state agencies, along with more than 30 lawsuits, according to Reuters. The Federal Bureau of Investigation has launched an investigation to determine how hackers gained access to the company’s database, the Wall Street Journal reported. New York Attorney General Eric Schneiderman also said his office was investigating the incident.
Meanwhile, the breach impacting more than half of all Americans has drawn the ire of lawmakers. Sen. Orrin Hatch, R-Utah, and Sen. Ron Wyden, D-Ore., sent a letter to Equifax CEO Rick Smith demanding answers about how the breach occurred and how the company responded. Sen. Brian Schatz, D-Hawaii, also sent a letter (PDF) calling the response “insufficient.”
FTC must investigate breach to assess whether Equifax did all it could to secure systems given sensitivity of the consumer data it holds.— Richard Blumenthal (@SenBlumenthal) September 8, 2017
The incident may trigger new legislation from lawmakers that could have ripple effects on healthcare. Sen. Dick Durbin, D-Ill., told Bloomberg that the hack is “an indictment of our current level of regulations when it comes to this industry and others.”
The Equifax attack could prove to be the breaking point for legislative action following a long line of attacks, many of which have focused on the healthcare sector. Earlier this year, Anthem agreed to pay $115 million to settle a class action lawsuit over its 2015 data breach that involved nearly 80 million members.
At the same time, another class action suit against CareFirst over a breach affecting more than 1 million people could be headed to the Supreme Court to determine whether the prospect of future harm from a breach is substantial enough to warrant legal action.