The Centers for Medicare and Medicaid Services (CMS) confirmed on its website that it was the victim of a data breach in October — the Marketplace system used for agents and brokers was hacked.
In a statement on HealthCare.gov, the government agency said the breach allowed “inappropriate access to the personal information of approximately 75,000 people who are listed on Marketplace applications.” It went on to say that it is notifying affected individuals starting last week — first with a phone call, then followed up by a letter with details about the breach and the protections that are available to impacted people. “HealthCare.gov is safe to use, and the agent and broker system is now available again with additional security measures in place. You can use HealthCare.gov directly, and these same resources are available to your trusted agent or broker,” CMS said.
In the letter sent to affected individuals, CMS said that some of the information that was accessible included name, date of birth, address, the last four digits of social security numbers, tax filing status, expected income among a slew of other information. It did note in the letter that none of the information that was accessible included bank account numbers, credit card numbers, or diagnosis or treatment information. “We are continuing to investigate this breach and putting additional security measures in place to make sure HealthCare.gov and the Marketplace process are safe and all consumer information is protected. Please be assured that all information will be protected during Open Enrollment,” CMS wrote in the letter. “At this time, we don’t know whether all of this information was actually accessed or misused. However, since this breach involves sensitive personal information, including partial SSN, there could be a risk of identity theft.” The government agency is offering free identity theft protections due to the breach through ID Experts, a data breach and recovery company. The coverage lasts twelve months and includes a $5,000,000 insurance reimbursement policy and identity theft recovery services.
In October CMS announced the government portal that insurance agents and brokers use to help customers sign up for healthcare was hacked, with the bad guys getting off with the personal data of 75,000 people. In a press release at the time, CMS staff detected anomalous activity in the Federally Facilitated Exchanges (FFE)’s Direct Enrollment pathway for agents and brokers. The Direct Enrollment pathway, first launched in 2013, allows insurance agents and brokers to assist consumers with applications for coverage in the FFE. CMS said that it believes about 75,000 individuals’ files were accessed via the data breach.