It seems like healthcare.gov has had a security breach already in which limited personal information from two applicants was disclosed to another applicant. Kelsey Harris and Rob Bluey report:
Justin Hadley logged on to HealthCare.gov to evaluate his insurance options after his health plan was canceled. What he discovered was an apparent security flaw that disclosed eligibility letters addressed to individuals from another state.
“I was in complete shock,” said Hadley, who contacted Heritage after becoming alarmed at the breach of privacy.
Hadley, a North Carolina father, buys his insurance on the individual market. His insurance company, Blue Cross Blue Shield of North Carolina, directed him to HealthCare.gov in a cancellation letter he received in September.
After multiple attempts to access the problem-plagued website, Hadley finally made it past the registration page Thursday. That’s when he was greeted with downloadable letters about eligibility — for two people in South Carolina. (Screenshot below.)
One of the two individuals whose eligibility determination was disclosed to Mr. Hadley tried to contact healthcare.gov about the breach but got nowhere:
After learning of the privacy breach, Dougall spent Friday evening trying to contact representatives from HealthCare.gov to no avail; he spent an hour waiting on the telephone and an online chat session was unhelpful. He also wrote to Senators Lindsey Graham (R-SC) and Tim Scott (R-SC), along with Representative Joe Wilson (R-SC).
“I want my personal information off of that website,” Dougall said.
This is not the first report I’ve read about people having difficulty contacting anyone about security flaws or breaches, and the government needs a phone number posted on the home page for people to use to report security or privacy flaws.
Read more about this breach on The Foundry. Note that healthcare.gov’s marketplace application system went offline last night for a 12-hour period for some updating. Hopefully when it comes back online this morning, the problem noted above will have been addressed. If not, then the government isn’t paying enough attention and should be held responsible for not providing people with a way to report security and/or privacy breaches.