94,000 Individuals Personal Information Exposed in HealthCare.gov Data Breach

by | Nov 21, 2018

In October, the Centers for Medicare & Medicaid Services (CMS) revealed that the HealthCare.gov online portal had been hacked and the sensitive data of around 75,000 individuals had possibly been obtained.

This week, the CMS released an update on the privacy violation confirming more people had been impacted than was first thought. The revised approximation has seen the number of breach victims grown to 93,689.

The initial breach announcement did not include much detail about the precise nature of the breach and the types of information that had possibly been compromised. In the initial announcement the CMS outlined that suspicious activity was found on the site on October 13 and on October 16 a breach was confirmed. Processes were swiftly taken to secure the site and stop any further data access or data theft.

The CMS started issuing out breach notification letters on November 7 which go into the breach in more detail, including the sort of information that were possibly accessed.

CMS outlined that the ‘suspicious activity’ it found was certain agent and broker accounts conducting an unnatural number of searches to ascertain consumer information. Those searches sent back results that contained the personal information of people listed in Marketplace applications.

The compromised agent and broker accounts were quickly deactivated and the Direct Enrollment pathway for agents and brokers was temporarily disabled while the system was safeguarded. The Direct Enrollment pathway was brought back online on October 26.

The CMS has now confirmed that a wide range of sensitive information has possibly been accessed and stolen by the hackers, which may have incorporated name, date of birth, address, sex, expected income, tax filing status, family relationships and a variety of other data.

The CMS has not been able to ascertain whether any personal information was obtained by the hackers, although as a precaution, individuals whose personal information has been exposed have been offered free identity theft protection services.

The investigation is continuing, and additional security measures are being implemented to prevent any further privacy breaches.

The HealthCare.gov website has had a difficult time since its launch. Malware was placed on a test server in July 2014, just a few months after the site went live. Audits by government watchdog agencies, including the Government Accountability Office (GAO) found a range of weaknesses and confirmed that there had been 316 security incidents involving the website and its supporting databases between October 2013 and March 2015.

While none of those incidents led in sensitive data being compromised, GAO did identify a number of security weaknesses in the technical controls used to safeguard data, the frequency of patching, encryption, auditing, monitoring, boundary protections, and identification and authentication which endangered data.

It is unclear how the cyber criminals obtained access to login details and whether any of the GAO-identified weaknesses were targeted.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy