The federal government stored the personal information of millions of insurance marketplace customers in a massive data warehouse with basic security flaws, according to a report from the Department of Health and Human Services' Office of the Inspector General.
The $110 million Multidimensional Insurance Data Analytics System, or MIDAS, does not store medical records, but does contain personally identifiable information (PII). That data includes names, Social Security numbers, birth dates, addresses, phone numbers, passport numbers, employment status and financial account information of customers on Healthcare.gov and state insurance marketplaces.
This isn't the first security issue involving Healthcare.gov. A report last fall from the Government Accountability Office outlined weaknesses in both the processes used for managing information security and privacy on the site as well as the technical implementation of IT security controls.
Privacy advocates and politicians have criticized MIDAS, calling it a potential target for cyber thieves. Though the National Archives recommended that the government store the data for no longer than 10 years, the government hasn't decided how long it will store the information, which is another major concern, FierceHealthPayer previously reported.
Problems found through the audit, which took place from August to December 2014, include:
- The Centers for Medicare & Medicaid Services didn't disable unnecessary generic accounts in its test environment.
- MIDAS did not encrypt user sessions.
- The system didn't conduct automated vulnerability assessments that simulate known attacks.
- It used a shared read-only account for access to the database that contained the PII, making it difficult to know who read the material.
OIG also said its database vulnerability scans identified 22 high, 62 medium and 51 low vulnerabilities. In a letter, CMS said all the issues had been addressed by February.
Another GAO report is expected this year about multiple cybersecurity "incidents" for Healthcare.gov, according to The Hill.