A health insurance system connected to the HealthCare.gov website was hacked according to the Centers for Medicaid & Medicare Services (CMS). The sensitive data of about 75,000 people were potentially accessed by the hackers.
A CMS personnel identified the anomalous activity going on in the Federally Facilitated Exchanges system and the Direct enrollment pathway that agents and brokers use to register their clients for their medical insurance coverage. The CMS confirmed the data breach on October 16 and announced the cyberattack publicly on October 19, 2018.
The hackers were able to access only a small number of files, which represent just a tiny portion of the total volume of consumer files saved in the system. Nevertheless, the breach was still sizable and serious. The files included data, such as names, phone numbers, addresses, income data and Social Security numbers, which the consumers gave to agents and brokers when applying for healthcare plans.
The CMS confirmed the access of the files by unauthorized persons but it is certain at this time if the attackers actually stole the files. Investigators are still working on the cyberattack case, while CMS is now employing new security measures to avoid more attacks. It was necessary to temporarily take the Direct Enrollment system offline in order to apply the new security updates. The process is expected to last for about one week. Hopefully, the Direct Enrollment system will be back online beginning November 1.
CMS Administrator Seema Verma stated they make the safety and security of the people they serve their top priority. They are working hard continually to assist potentially affected consumers and to protect their personal information.
The CMS remarks that only the system that agents and brokers use was affected by the attack. The HealthCare.gov website, which consumers use to personally register for medical insurance coverage, was not affected by the breach. Both HealthCare.gov and the Marketplace Call Center are still accessible to the public.
The CMS is going to send breach notification letters to all people whose personal data were potentially compromised. The affected consumers will also receive additional information on how to protect themselves against the misuse of their information. Additional information about the breach will be announced when it is available.