Close Close
ThinkAdvisor

Life Health > Health Insurance > Health Insurance

PPACA dashboard system skimped on security, officials say

X
Your article was successfully shared with the contacts you provided.

Centers for Medicare & Medicaid Services (CMS) was using only weak security measures to protect a HealthCare.gov performance dashboard data warehouse as recently as late 2014, according to a watchdog agency.

The Multidimensional Insurance Data Analytics System (MIDAS) has been in operation since October 2013, according to the U.S. Government Accountability Office (GAO). 

See also: Chinese hackers steal 4M federal personnel records: Here’s what the breach means for insurance

CMS started feeding consumers’ personally identifiable information, including income and Social Security information, into the system after it was up and running, and the CMS staff began to conduct a formal privacy analysis only after the role of the system expanded, GAO officials reported in September 2014.

Officials at another watchdog agency, the U.S. Department of Health and Human Services Office of Inspector General (HHS OIG), say — in a report summary that was completed in May but held for release until this month — that HHS OIG auditors found holes in MIDAS security when reviewing information security from August 2014 through December 2014.

The CMS staff members and vendors were not encrypting MIDAS users’ sessions, HHS OIG officials say.

More on this topic

MIDAS users could read the data in the system using a shared account, officials say.

Andrew Slavitt, the acting CMS administrator, wrote in a response to the HHS OIG report that CMS had addressed all of the serious vulnerabilities identified within a week of being told about them. And CMS addressed a majority of the other findings within 30 days of being told about them, Slavitt said.

MIDAS is an internal CMS system accessible only by authorized CMS employees and support personnel, Slavitt said.

“Use of MIDAS must be requested and approved based on appropriate justification before staff or a contractor is granted access,” Slavitt said.

The full text of the HHS OIG audit report does not appear to be publicly available.