This week, the CMS released an update on the privacy violation confirming more people had been impacted than was first thought. The revised approximation has seen the number of breach victims grown to 93,689.
The initial breach announcement did not include much detail about the precise nature of the breach and the types of information that had possibly been compromised. In the initial announcement the CMS outlined that suspicious activity was found on the site on October 13 and on October 16 a breach was confirmed. Processes were swiftly taken to secure the site and stop any further data access or data theft.
The CMS started issuing out breach notification letters on November 7 which go into the breach in more detail, including the sort of information that were possibly accessed.
CMS outlined that the ‘suspicious activity’ it found was certain agent and broker accounts conducting an unnatural number of searches to ascertain consumer information. Those searches sent back results that contained the personal information of people listed in Marketplace applications.
The compromised agent and broker accounts were quickly deactivated and the Direct Enrollment pathway for agents and brokers was temporarily disabled while the system was safeguarded. The Direct Enrollment pathway was brought back online on October 26.
The CMS has now confirmed that a wide range of sensitive information has possibly been accessed and stolen by the hackers, which may have incorporated name, date of birth, address, sex, expected income, tax filing status, family relationships and a variety of other data.
The CMS has not been able to ascertain whether any personal information was obtained by the hackers, although as a precaution, individuals whose personal information has been exposed have been offered free identity theft protection services.
The investigation is continuing, and additional security measures are being implemented to prevent any further privacy breaches.
The HealthCare.gov website has had a difficult time since its launch. Malware was placed on a test server in July 2014, just a few months after the site went live. Audits by government watchdog agencies, including the Government Accountability Office (GAO) found a range of weaknesses and confirmed that there had been 316 security incidents involving the website and its supporting databases between October 2013 and March 2015.
While none of those incidents led in sensitive data being compromised, GAO did identify a number of security weaknesses in the technical controls used to safeguard data, the frequency of patching, encryption, auditing, monitoring, boundary protections, and identification and authentication which endangered data.
It is unclear how the cyber criminals obtained access to login details and whether any of the GAO-identified weaknesses were targeted.