Maybe three million people have signed up for Obamacare. That’s less than half the seven million that the administration expected by the end of open enrollment in March. There are several reasons for this shortfall: Many consumers (especially the young) find the coverage too expensive, many have given up trying to sign up via the website or by phone, and others are simply ignoring the risk that they will be fined (or penalized or taxed) for dodging the mandate to buy health insurance.
However, a large number of consumers would like coverage but are nervous about surrendering personal information to the Obamacare exchanges. They are right to be worried. The Centers for Medicare & Medicaid Services (CMS), which oversees the exchanges, has never had access to so much personal information about so many people. And its history of dealing with data it has collected gives grounds for concern.
Last December, the Government Accountability Office (GAO) published a report with a damning title: Agency Responses to Breaches of Personally Identifiable Information Need to Be More Consistent.
The report is an eye-opener. From 2009 through 2012, the annual number of reported data breaches (affecting personally identifiable data) almost doubled from about eleven thousand to about twenty-two thousand.
CMS was one of the agencies examined by the GAO. During the period, CMS had few data breaches. This is not surprising, because it did not have a consumer-facing website that gathered personal data. Nevertheless, CMS failed to react responsibly to the small number of data breaches it allowed to happen. It neither assessed the likelihood and potential severity of harm associated with those incidents nor determined whether notification to affected individuals was needed. Indeed, according to GAO, “CMS did not document a risk level for 56 of the 58 incidents we reviewed” during the period.
That is: CMS did not bother to even assess the risk of exposing personally identifiable data for 97 percent of security breaches it experienced. And it does not (cannot) notify possibly affected individuals.
And the period examined ended almost two years before the Obamacare exchanges opened for business. Last October, CMS began enrolling people at healthcare.gov, the website for people applying for Obamacare health insurance if they are in a state with a federally run health-insurance exchange Millions have already surrendered personal data to the website.
David Kennedy, a cybersecurity expert who runs a firm called TrustedSec, revealed a startling problem during his testimony at congressional hearings on the security of healthcare.gov. He emphasized the lack of effective security for personal data submitted to the website. One can reasonably expect that he knows what he is talking about. He is a so-called “white-hat” hacker—companies hire him to break into their computers and then tell them how to fix the entry points he discovers. .
Obamacare’s own cybersecurity expert—a government employee—has claimed before congressional committees that everything is hunky-dory. But how can we trust him when the administration refuses to disclose what is going on under the hood of Obamacare?
Between November 27 and December 15, the supermarket Target suffered a breach that allowed hackers access to online customers’ credit-card and shopping data. The company immediately announced the problem, and is taking steps to address the consequences. It has a website dedicated to explaining what it is doing in response to the data breach.
As a private company, Target cannot afford to irritate its customers. The federal government, however, faces no such constraint, and is keeping a tight lid on Obamacare’s website problems.
Given CMS’s terrible history of managing data breaches, Americans reluctant to submit personal data over the Internet are not unduly paranoid. They are exercising reasonable caution. As for those who have already signed up for Obamacare: How many have already had their personal data compromised? Given the White House’s secrecy regarding Obamacare’s operations, those who have already signed up should also be nervous.