A lot of bluster has been made among the media about the problems with the Affordable Care Act website, but one concern that has been severely underreported—or at least has not grabbed the banner headlines—is the attempted security breaches against the health exchange sites.
Well, today comes the news that a user has reported being the victim of a breach within the Vermont Health Connect site. According to CSO:
The person who reported the problem wasn't named in the report. However, Greg Needle, the privacy administrator with Vermont Health Connect, confirmed that this person's Social Security Number, as well as information submitted to the exchange during the application process, was obtained by an unauthorized party. In a letter sent to the Centers for Medicare and Medicaid Services (CMS) by Needle, the person learned about the breach due to an anonymous letter.
Allegedly, on the back of the envelope was the message: “Vermont Health Connect is not a secure site!” The message was repeated in the letter.
Unfortunately, we should probably get used to seeing more data breaches or attempted breaches. As Matthew Standart, director of Threat Intelligence at HB Gary, told me in an email, the health exchange system is likely to face a landscape of threats due to hackers and identity thieves looking to profit from breaching the system. The health exchange sites are a treasure trove of data for thieves (or anyone who may want to sabotage the system itself). As Standart told me, at the center of the Affordable Care Act is the Federal Data Services Hub, a database that centrally stores information about citizens.
Standart went on to say:
What could be unique is that this system will face some specific threats that not all other systems face, such as politically motivated hackers who, in their disapproval of the system itself, may seek to destroy, disrupt or degrade the system. And in the case of modern insider threats, there is also a risk of users who abuse their privileges in a malicious way for financial or other personal gain, and the inadvertent hacker that accidentally puts proprietary data at risk.
As many other Americans watch to see how the operational flaws in the website system are addressed and fixed, I’ll be keeping a close eye on how IT security professionals handle potential threats to data and privacy. I’m not the only one who will be watching. As Standart pointed out:
These internal and external threats put a spotlight on IT administrators to have tools in place that not only identify risks quickly, but can also mitigate them before the damage is done.