Data Breach Disclosed Confidential Information of 94,000 People

Nov 17, 2018


Last month, the Centers for Medicare & Medicaid Services (CMS) declared that the website had been hacked and the confidential data of roughly 75,000 people had possibly been compromised.

This week, the CMS released an update on the breach verifying more people had been affected than was originally thought. The revised estimation has seen the number of breach sufferers increased to 93,689.

The original breach declaration was light on details concerning the precise nature of the breach and the kinds of information that had possibly been compromised. In the original announcement, the CMS clarified that doubtful activity was noticed on the site on October 13 and on October 16 a breach was verified. Steps were instantly taken to secure the site and avoid any more data access or data theft.

The CMS began sending out breach notification letters on November 7 which clarified the breach in more detail, including the kinds of information that were possibly accessed.

CMS clarified that the ‘doubtful activity’ it noticed was that a certain agent and broker accounts were carrying out an abnormal number of searches to find customer information. Those searches returned outcomes that contained the private information of people detailed in Marketplace applications.

The compromised agent and broker accounts were swiftly deactivated and the Direct Enrollment path for agents and brokers was provisionally deactivated while the system was protected. The Direct Enrollment pathway was brought back online on October 26.

The CMS has now verified that an extensive range of confidential information has possibly been accessed and stolen by the hackers, which might have included the following data elements:

  • Name
  • Date of birth
  • Address
  • Sex
  • Last four digits of Social Security number (SSN) – if provided on applications
  • Expected income
  • Tax filing status
  • Family relationships
  • Citizen or immigrant status
  • Immigration document types and numbers
  • Employer name(s)
  • Pregnancy status
  • Whether the individual has health insurance
  • Information provided by other federal organizations and data sources to verify application information
  • Whether the Marketplace asked the applicant for documents or explanations
  • Application result
  • Tax credit amounts
  • If an applicant enrolled, the name of the insurance plan, premium, and coverage dates

The CMS has not been able to verify whether any private information was stolen by the hackers, even though as a precaution, people whose private information has been exposed have been offered free identity theft protection facilities.

The inquiry is continuing, and additional safety measures are being implemented to avoid any more breaches.

The website has had a difficult time since its launch. The malware was uploaded to a test server in July 2014, just a few months after the site was introduced. Audits by government watchdog organizations, including the Government Accountability Office (GAO) identified a slew of vulnerabilities and verified that there had been 316 safety occurrences involving the website and its supporting systems between October 2013 and March 2015.

While none of those occurrences led to confidential data being compromised, GAO did identify a number of safety vulnerabilities in the technical controls used to safeguard data, the frequency of patching, boundary protection, auditing, encryption, monitoring, and identification and authentication which placed data at risk.

It is unclear how the hackers gained access to login identifications and whether any of the GAO-identified vulnerabilities were abused.