Three members of Congress--Rep. Joe Pitts (R-Pa.), Rep. Patrick Meehan (R-Pa.) and Rep. Diane Black (R-Tenn.) are seeking answers about the security of healthcare data with regard to the Affordable Care Act this week.
Pitts aims to protect the information submitted to ACA exchanges by consumers through proposed legislation--the Health Exchange Security and Transparency Act--unveiled Monday. The bill, to be considered by the House this week, would require the U.S. Department of Health & Human Services to notify individuals of any breach on the ACA's exchanges that could endanger personal data within two business days.
"People getting healthcare through new exchanges have to submit a great deal of personal information," Pitts said in an announcement. "With HealthCare.gov continuing to undergo maintenance and construction, computer security experts have warned that this data could be vulnerable to hackers. Identity theft can be devastating to individuals and families. We need to make sure that the government promptly notifies exchange enrollees if their data is stolen."
Pitts added that he and his colleagues repeatedly asked about the security of HealthCare.gov before its launch, saying that now it's "clear that there has been a lack of proper security measures and thorough testing."
It was reported last fall that a government memorandum signed off on by Centers for Medicare & Medicaid Services Administrator Marilyn Tavenner revealed that she allowed HealthCare.gov to launch without final security testing. Meehan and Black sent a letter to Tavenner this morning requesting information on why this happened.
"Now that HealthCare.gov is open for business, it is imperative that Congress be provided the information necessary to understand how the federal exchange was certified and what protections are in place to protect Americans using the system," the letter stated. "What process has been implemented to monitor the ongoing effectiveness of security controls and the progress of actions taken to correct vulnerabilities?"
In October, HHS Secretary Kathleen Sebelius said at a Congressional hearing that the site had a temporary "authority to operate" certificate for the Oct. 1 launch, and that the agency would issue a permanent certificate once security concerns were alleviated and full testing had been completed.
At that same hearing, Sebelius harped on the security of the data hub--the controversial centerpiece of the insurance exchange website--saying users' information was safe.
To learn more:
- read Pitts' announcement
- see the letter from Meehan and Black (.pdf)
HealthCare.gov website security was at 'high risk' before launching
Sebelius fields accusations, questions on HealthCare.gov in testimony
Another day, another HealthCare.gov glitch
Healthcare reform controversy surrounds Sebelius
Healthcare.gov update: Contractors, insurers discuss exchange problems
Jeff Zients to head Obama's 'tech surge' team fixing HealthCare.gov
HHS Secretary Sebelius to discuss exchange problems before House panel