ObamaCare Unlikely to Secure Americans' Private Information

ObamaCare Unlikely to Secure Americans' Private Information

ObamaCare requires that the government know Americans’ financial, medical, and employment information. This data should be private, yet the Office of the Inspector General (OIG) of the Department of Health and Human Services (HHS) says that the Obama administration has not set up adequate safeguards to protect Americans’ private information under the new healthcare system.

Reuters indicates that the OIG’s study, released on Friday, discovered that the Centers for Medicare & Medicaid Services (CMS)–the HHS agency that is running ObamaCare–“had set a May 13 deadline for its contractor to deliver a plan to test the security of the crucial information technology component.”

Though a test to assess firewalls and other security systems was supposed to have been performed between June 3rd and 7th, the delivery deadline was not kept, and the test will now take place this week and next.

“CMS,” said the OIG’s report, “is working with very tight deadlines.”

According to Avik Roy at Forbes, based on the OIG’s assessment of ObamaCare’s privacy problems, the state “exchanges may end up illegally exposing Americans’ private records to hackers and criminals.”

Roy asserts that, under the Privacy Act of 1974, the Obama administration is legally required to provide privacy safeguards to secure Americans’ information. In addition, the Federal Information Security Management Act of 2002 (FISMA) requires the executive branch to keep Americans’ private information adequately protected from security breaches and misuse.

Roy notes the following pattern of Americans’ private information in ObamaCare:

Hence, the Obamacare exchanges mandate the creation of a “data hub” through which exchanges can access personal records from seven different agencies–the Internal Revenue Service, the Social Security Administration, the Department of Homeland Security, the Veterans Health Administration, the Department of Defense, the Office of Personnel Management, and the Peace Corps–in order to determine eligibility for exchange subsidies and mandate penalties.

Before the exchanges can operate legally, the Obama administration must, under FISMA, meet guidelines set by the National Institute of Standards and Technology.

However, Gloria Jarmon, Deputy Inspector General for Audit Services at HHS, said that “several critical tasks remain to be completed in a short period of time…If there are additional delays in completing the security authorization,” CMS won’t have the necessary “security controls needed for the security authorization decision” to open the exchanges on October 1st.

Roy reports Jarmon’s concern that CMS has delayed important deadlines by approximately two months. As a result of the time crunches, CMS is now planning to perform essential security reviews that will permit the exchanges to move forward in only 10 days, when they actually take 51 days to complete thoroughly.

According to Roy:

What makes them think that they can accomplish a 51-day review in just 10 days? They don’t. The Obama administration is so determined to get Obamacare up and running on time that they are likely to ignore the legal requirements to adequately review these privacy safeguards.

The Obama administration, says Roy, believes failure to open the exchanges on time will be a greater public relations disaster than launching them without adequate privacy safeguards in place.

Reuters notes that experts confirm that the exchanges are more likely to open with security flaws than to be delayed.

“They’ve removed their margin for error,” said Deven McGraw, director of the health privacy project at the non-profit Center for Democracy & Technology. “There is huge pressure to get (the exchanges) up and running on time, but if there is a security incident they are done. It would be a complete disaster from a PR viewpoint.”

The most common type of security breach, according to Reuters, would be identity theft, whereby a hacker steals the social security numbers and other private information people hand over when they agree to participate in an insurance plan.

CMS spokesman Brian Cook said his agency is confident that ObamaCare’s exchanges will open on time. “We are on schedule and will be ready for the marketplaces to open on October 1,” he said.

Michael Astrue, former Commissioner of the Social Security Administration, minced no words in a piece this week in The Weekly Standard. Entitled, “Privacy Be Damned,” Astrue’s article is scathing in its criticism of ObamaCare:

A functional and legally compliant federal exchange almost certainly will not be ready on October 1 for those who will have no choice but to use the federal portal. The reasons for failure are not short timelines (Congress gave HHS more than three years), political interference (Congress has not focused on ACA systems), or complexity (states have built well-designed exchanges). The reason is plain old incompetence and arrogance.

Astrue argues that no special funding was appropriated by Congress to create the systems for the exchanges. In addition, Donald Berwick, former CMS administrator, was unwilling to move adequate funds within his agency for the systems, and unable to convince HHS secretary Kathleen Sebelius to spend any money on this effort, despite her massive ObamaCare discretionary fund.

Astrue continues his condemnation:

Civil servants at CMS did what they could to meet the statutory deadline?–?they threw together an overly simplistic system without adequate privacy safeguards. The system’s lack of any substantial verification of the user would leave members of the public open to identity theft, lost periods of health insurance coverage, and exposure of address for victims of domestic abuse and others. CMS then tried to deflect attention from its shortcomings by falsely asserting that it had done so to satisfy White House directives about making electronic services user-friendly. 

In June, Rep. Diane Black (R-TN) wrote about her concerns regarding Americans’ privacy and the ObamaCare “Data Hub”:

Despite being only four months from Obamacare open enrollment, even the most basic questions about the Data Hub have yet to be answered. For instance, which agencies will have access to what information in it; will government employees, contractors and third parties have access; and what training and security clearances – if any – are required for these individuals. Which begs the question: Is this what President Obama meant by being the most transparent administration in U.S. history?

With so much personal information going in and out of the Hub likely privy to both government employees and contractors, many of whom will have discretion over health care coverage and tax penalties, the potential for abuses is staggering.

Astrue adds a final note about the report issued by the OIG:

I don’t sleep well thinking about Americans being fined for not using systems that don’t work. I don’t sleep well thinking about domestic abusers who could use vulnerabilities in the system to find their victims. However, the HHS inspector general seems to have no difficulty snoozing night or day.