Friday, December 27, 2013

Government Not Required to Report Security Breaches of Obamacare Exchange Website

This is from Eric Boehm Watchdog.org:
Americans who buy health insurance through the federal Obamacare exchange website could have their personal information stolen by hackers and never even know it. 
Most of the state-run health exchange websites will be covered by state laws that require notification when government databases are breached by hackers. But there is no law requiring notification when databases run by the federal government are breached, and even though the Department of Health and Human Services was asked to include a notification provision in the rules being drawn up for the new federal exchange, it declined to do so. 
Other protections for individuals’ privacy, like the Health Insurance Portability and Accountability Act, or HIPAA, do not apply to the government-run exchange, only to health providers and insurance companies operating within the exchange. 
Privacy advocates and cyber-security experts have had concerns about the lack of a federal notification law for years and hope the scrutiny of the Obamacare exchange will finally bring change. ... 
The lack of a notification requirement is particularly bad for the health insurance exchange website because of all the questions surrounding the site’s security. Poor security, coupled with the website’s high-profile problems, could make it a target for hackers either seeking to steal identities or embarrass the government. ... 
Together it creates a possible nightmare scenario. Without strong security on the front end, the hastily built and not fully operational website could become a treasure trove for hackers looking to steal identities. But without any laws requiring that those victims be notified by the federal government users of the Federal health exchange will be in the dark about any potential security breaches of their private data. ...