Published December 21, 2015
Americans who buy health insurance through the federal Obamacare exchange website could have their personal information stolen by hackers and never even know it.
Most of the state-run health exchange websites will be covered by state laws that require notification when government databases are breached by hackers. But there is no law requiring notification when databases run by the federal government are breached, and even though the Department of Health and Human Services was asked to include a notification provision in the rules being drawn up for the new federal exchange, it declined to do so.
Other protections for individuals’ privacy, like the Health Insurance Portability and Accountability Act, or HIPAA, do not apply to the government-run exchange, only to health providers and insurance companies operating within the exchange.
Privacy advocates and cyber-security experts have had concerns about the lack of a federal notification law for years and hope the scrutiny of the Obamacare exchange will finally bringchange.
“The notification requirement is a very important part of overall security,” said Deven McGraw, director of the Health Privacy Project at the Center for Democracy and Technology. “People should be told when their information is at-risk.”
The lack of a notification requirement is particularly bad for the health insurance exchange website because of all the questions surrounding the site’s security. Poor security, coupled with the website’s high-profile problems, could make it a target for hackers either seeking to steal identities or embarrass the government.