ARRA News Service
News Blog for social, fiscal & national security conservatives who believe in God, family & the USA. Upholding the rights granted by God & guaranteed by the U.S. Constitution, traditional family values, "republican" principles / ideals, transparent & limited "smaller" government, free markets, lower taxes, due process of law, liberty & individual freedom. Content approval rests with the ARRA News Service Editor. Opinions are those of the authors. While varied positions are reported, beliefs & principles remain fixed. No revenue is generated for or by this "Blog" - no paid ads - no payments for articles. Fair Use Doctrine is posted & used.
Blogger/Editor/Founder: Bill Smith, Ph.D. [aka: OzarkGuru & 2010 AFP National Blogger of the Year]
Contact: editor@arranewsservice.com (Pub. Since July, 2006)
    Home Page
   

One of the penalties for refusing to participate in politics is that you end up being governed by your inferiors. -- Plato (429-347 BC)

Thursday, December 05, 2013

Feds Not Required To Report Security Breaches of Obamacare Exchange Website

by Eric Boehm: Americans who buy health insurance through the federal Obamacare exchange website could have their personal information stolen by hackers and never even know it.

Most of the state-run health exchange websites will be covered by state laws that require notification when government databases are breached by hackers. But there is no law requiring notification when databases run by the federal government are breached, and even though the Department of Health and Human Services was asked to include a notification provision in the rules being drawn up for the new federal exchange, it declined to do so.

Other protections for individuals’ privacy, like the Health Insurance Portability and Accountability Act, or HIPAA, do not apply to the government-run exchange, only to health providers and insurance companies operating within the exchange.

Privacy advocates and cyber-security experts have had concerns about the lack of a federal notification law for years and hope the scrutiny of the Obamacare exchange will finally bringchange.

“The notification requirement is a very important part of overall security,” said Deven McGraw, director of the Health Privacy Project at the Center for Democracy and Technology. “People should be told when their information is at-risk.”

The lack of a notification requirement is particularly bad for the health insurance exchange website because of all the questions surrounding the site’s security. Poor security, coupled with the website’s high-profile problems, could make it a target for hackers either seeking to steal identities or embarrass the government.

Unfortunately, security is often an afterthought for the government, said David Kennedy, CEO of TrustedSEC, an Ohio-based cyber-security firm. Kennedy has testified before Congress about security threats in the Obamacare exchange and the need for notification laws.

“All we need is something that says if the federal government is breached, all we have to do is alert the public,” he told Watchdog.org. “Healthcare.gov is just one website of hundreds that have had these issues going back through the years.”

Together it creates a possible nightmare scenario. Without strong security on the front end, the hastily built and not fully operational website could become a treasure trove for hackers looking to steal identities. But without any laws requiring that those victims be notified by the federal government users of the Federal health exchange will be in the dark about any potential security breaches of their private data.

When the federal Obamacare exchange was being developed by HHS prior to its troubled launch on Oct. 1, experts told the department that it should include a data-breach provision in its policies for the website even though one was not required under federal law.

FIXED? The federal Obamacare exchange
 website was relaunched this month to much
 fanfare, but security remains a concern.
The department flatly declined to do so.

The final rules for the exchanges were approved on March 27, 2012, meeting of HHS officials, according to the Federal Register.

At that meeting, two commenters asked HHS to ensure the exchanges would promptly notify affected enrollees in the event of a data breach or unauthorized access to the exchange’s databases. One suggested that a full investigation be launched each time such a breach occurred, with the goal of holding hackers legally and financially accountable for breaking into the website.

The department’s response: “We do not plan to include the specific notification procedures in the final rule. Consistent with this approach, we do not include specific policies for investigation of data breaches in this final rule.”

Since there is no federal notification requirement, breaches of any and all federal databases can occur without the public ever being informed.

The only way to find out a hack has occurred is when the government decides to disclose it — as several federal law enforcement agencies did last month in response to attacks from Anonymous, a group of super-hackers who threatened to take down the FBI website and others.

But hacks that happen behind the scenes —potentially stealing everything from Social Security numbers to Department of Homeland Security watch lists — never have to be reported.

“That’s alarming because there could be a number of federal databases that are compromised already and we don’t know about it,” Kennedy said. “The exchange is part of a bigger problem.”

Federal privacy protections contained in HIPAA also do not apply to the databases created by the federal exchange website, McGraw said, even though health insurers doing business through the exchange must be HIPAA compliant.

In other words, the health plan itself is covered by HIPAA and any breaches of security that affect a consumer who has purchased a specific plan would have to be reported. But the process of choosing and purchasing a plan through the federal exchange — along with any information entered into the federal exchange as part of that process — is not subject to HIPAA protections.

“The problem with the exchanges is that they are such new entities, and they are so unique that existing laws don’t really cover them,” McGraw said.

But 48 states have laws on the books requiring that they give notification to individuals who may have had personal information stolen or leaked from a government database. Many states require that government agencies and departments alert the state attorney general so investigations can be launched.

In states that opted to run their own health insurance exchanges, those laws generally cover security breaches of the exchanges, McGraw said, though it depends on the specific wording of each state law.

Those state laws are how data breaches of several state-level health insurance exchange websites have come to light.

Even Paul Bunyan and Babe the Blue Ox
 have taken criticism in their role as mascots
 for Minnesota’s health care exchange.
In September, Watchdog.org reported on a data breech of the Minnesota health exchange — known as “MNsure” — that potentially affected as many as 2,400 people.

In Florida, concerns about data breaches of the state-run exchange website prompted Gov. Rick Scott to send a letter to Congress saying Floridians would not exchange privacy for insurance.

On the federal exchange, such breaches are possible, maybe even likely, since the site was launched without comprehensive testing of the security controls for the system.

A Sept. 27 memo to Medicare chief Marylin Tavernner said insufficient testing of the website before the Oct. 1 launch “exposed a level of uncertainty that can be deemed a high risk,” the Associated Press reported in October.

Even though the federal government does not have to report any breaches of security, at least a few already have occurred.

The most high-profile case so far is that of Thomas Dougall, a South Carolina lawyer who had his personal information accidentally leaked to another person after using the Obamacare exchange last month.

“We logged on and compared some prices,” Dougall later told Fox News’ Greta Van Susteren. “We came home last Friday night to have a young man from a completely different state calling to tell me that when he logged on … he got all my personal information in exchange.”

Dougall only found out about that breach of security because the recipient was kind enough to give him a call. Without a requirement that the exchanges report such problems — whether the result of nefarious hackers or glitches in the programming — it is impossible to tell how many other Americans have had their private information released by the federal exchange.

Kennedy said he would not recommend that anyone use the federal exchange until it is more secure and until breaches of security are reported.

“I would say think twice about it, at least until we get more details,” he said.

Kennedy says he supports universal health care and his criticisms of the website are not rooted in political motivations. But the former U.S. Marine whose firm provides computer security to several Fortune 100 companies says there have been “zero changes” to the security of the health insurance exchange website in the run-up to the much-touted Dec. 1 re-launch.

Congress has debated a federal notification law in each of the past three years, but one has never been passed.

In July, during a hearing of the House Committee on Energy and Commerce, lawmakers heard testimony from a variety of experts who explained the need for a federal breach notification requirement.

David Thaw, a law professor at the University of Connecticut who specializes in cyber-security and the legal framework around it, said data breach notification laws, combined with comprehensive data security, are an essential part of protecting consumers and businesses.

“I analogize the effects of breach notification alone to locking the bank or vault door while leaving a back window wide open,” he said.

With the federal health insurance exchange, there are questions about whether the vault door has been adequately locked.

But there is no doubt that the back window is still wide open.
------------------
Eric Boehm first reported this for Watchdog.org. He can be reached at EBoehm@Watchdog.org. Follow him on Twitter @EricBoehm87

Tags: security breaches, Obamacare Exchange, website, Feds not reporting, Watchdog, Eric Boehm To share or post to your site, click on "Post Link". Please mention / link to the ARRA News Service. Thanks!
Posted by Bill Smith at 4:31 PM - Post Link

0 Comments:

Post a Comment

<< Home


View U.S. National Debt

Don't miss anything!
Subscribe to the
ARRA News Service
It's FREE & No Ads!

You will receive a verification email
& must validate you subscribed!

You Then Receive One Email Each AM
With Prior Days Articles / Toons / More


Also, Join & leave conservative posts & comments on
Facebook.com/ARRANewsService


Recent Posts:
Personal Tweets by the editor:
Dr. Bill - OzarkGuru - @arra
#Christian Conservative; Retired USAF & Grad Professor. Constitution NRA ProLife schoolchoice fairtax - Editor ARRA NEWS SERVICE. THANKS FOR FOLLOWING!

Action Links!
State Upper & Lower House Members
State Attorney Generals
State Governors
The White House
US House of Representatives
US Senators
GrassFire
NumbersUSA
Ballotpedia

Facebook Accts - Dr. Bill Smith
Pages:
ARRA News Service
Arkansans Against Big Government
Alley-White Am. Legion #52
Catholics & Protestants United Against Discrimination
End Taxpayer Funding of NPR
Overturn Roe V. Wade
Prolife Soldiers
Project Wildfire 4 Life
Republican Liberty Caucus of Arkansas
The Gold Standard
US Atty Gen Loretta Lynch, aka Eric Holder, Must Go
Veterans for Sarah Palin
Why Vote for Hillary (Satire)
FB Groups:
Arkansas For Sarah Palin
Arkansas Conservative Caucus
Arkansas County Tea Party
Arkansans' Discussion Group on National Issues
Blogs for Borders
Conservative Solutions
Conservative Voices
Defend Marriage -- Arkansas
FairTax
FairTax Nation
Arkansas for FairTax
Friends of the TEA Party in Arkansas
Freedom Roundtable
Pro-Life Rocks - Arkansas
Republican Network
Republican Liberty Caucus of AR
Reject the U.N.

Patriots
Exchange
Links

Request Via
Article Comment

Links to ARRA News
A Patriotic Nurse
Agora Associates
a12iggymom's Blog
America, You Asked For It!
America's Best Choice
ARRA News Twitter
As The Crackerhead Crumbles
Blogs For Borders
Blogs for Palin
Blow the Trumpet Ministry
Boot Berryism
Cap'n Bob & the Damsel
Chicago Ray Report - Obama Regime Report
Chuck Baldwin - links
Common Cents
Conservative Voices
Diana's Corner
Greater Fitchburg For Life
Lasting Liberty Blog
Liberal Isn't Amy
Marathon Pundit
Patriot's Corner
Right on Issues that Matter
Right Reason
Rocking on the Right Side
Saber Point
Saline Watchdog
Sultan Knish
The Blue Eye View
The Born Again Americans
TEA Party Cartoons
The Foxhole | Unapologetic Patriot
The Liberty Republican
The O Word
The Path to Tyranny Blog
The Real Polichick
The War on Guns
TOTUS
Twitter @ARRA
Underground Notes
Warning Signs
Women's Prayer & Action
WyBlog

Editor's Managed Twitter Accounts
Twitter Dr. Bill Smith @arra
Twitter Arkansas @GOPNetwork
Twitter @BootBerryism
Twitter @SovereignAllies
Twitter @FairTaxNation

Editor's Recommended Orgs
Accuracy in Media (AIM)
American Action Forum (AAF)
American Committment
American Culture & Faith Institute
American Enterprise Institute
American Family Business Institute
Americans for Limited Government
Americans for Prosperity
Americans for Tax Reform
American Security Council Fdn
AR Faith & Ethics Council
Arkansas Policy Foundation
Ayn Rand Institute
Bill of Rights Institute
Campaign for Working Families
CATO Institute
Center for Individual Freedom
Center for Immigration Studies
Center for Just Society
Center for Freedom & Prosperity
Citizens Against Gov't Waste
Citizens in Charge Foundstion
Coalition for the Future American Worker
Competitive Enterprise Institute
Concerned Veterans for America
Concerned Women for America
Declaration of Am. Renewal
Eagle Forum
FairTax
Family Research Council
Family Security Matters
Franklin Center for Gov't & Public Integrity
Freedom Works
Gingrich Productions
Global Incident Map
Great Americans
Gold Standard 2012 Project
Gun Owners of America (GOA)
Heritage Action for America
David Horowitz Freedom Center
Institute For Justice
Institute for Truth in Accounting
Intercollegiate Studies Institute
Judicial Watch
Less Government
Media Reseach Center
National Center for Policy Analysis
National Right To Work Foundation
National Rifle Association (NRA)
National Rifle Association (NRA-ILA)
News Busters
O'Bluejacket's Patriotic Flicks
OathKeepers
Open Secrets
Presidential Prayer Team
Religious Freedom Coalition
Renew America
Ron Paul Institute
State Policy Network
Tax Foundation
Tax Policy Center
The Club for Growth
The Federalist
The Gold Standard Now
The Heritage Foundation
The Leadership Institute
Truth in Accounting
Union Facts



Blogs For Borders

Reject the United Nations

Presidential Prayer Team

Thousands of Deadly Islamic Terror Attacks Since 9/11


FairTax Nation on FaceBook
Friends of Israel - Stand with Israel
Blog Feeds
Syndicated - Get the ARRA News Service feed Syndicated!
ARRA Blog Feed

Add to Google Reader or Homepage

Add to The Free Dictionary

Powered by Blogger


  • To Exchange Links - Email: editor@arranewsservice.com!
  • Comments by contributing authors or other sources do not necessarily reflect the position the editor, other contributing authors, sources, readers, or commenters. No contributors, or editors are paid for articles, images, cartoons, etc. While having reported on and promoting principles & beleifs beliefs of other organizations, this blog/site is soley controlled and supported by the editor. This site/blog does not advertise for money or services nor does it solicit funding for its support.
  • Fair Use: This site/blog may contain copyrighted material the use of which has not been specifically authorized by the copyright owner. Such material is made available to advance understanding of political, human rights, economic, democracy, and social justice issues, etc. This constitutes a 'fair use' of such copyrighted material as provided for in section Title 17 U.S.C. Section 107 of the US Copyright Law. Per said section, the material on this site/blog is distributed without profit to readers to view for the expressed purpose of viewing the included information for research, educational, or satirical purposes. Any person/entity seeking to use copyrighted material shared on this site/blog for purposes that go beyond "fair use," must obtain permission from the copyright owner.
  • © 2006 - 2020 ARRA News Service
Creative Commons License
Creative Commons Attribution Noncommercial Share Alike 3.0 Unported License.