Centers for Medicare & Medicaid Services (CMS) was using only weak security measures to protect a HealthCare.gov performance dashboard data warehouse as recently as late 2014, according to a watchdog agency.
The Multidimensional Insurance Data Analytics System (MIDAS) has been in operation since October 2013, according to the U.S. Government Accountability Office (GAO).
See also: Chinese hackers steal 4M federal personnel records: Here’s what the breach means for insurance
CMS started feeding consumers’ personally identifiable information, including income and Social Security information, into the system after it was up and running, and the CMS staff began to conduct a formal privacy analysis only after the role of the system expanded, GAO officials reported in September 2014.
Officials at another watchdog agency, the U.S. Department of Health and Human Services Office of Inspector General (HHS OIG), say — in a report summary that was completed in May but held for release until this month — that HHS OIG auditors found holes in MIDAS security when reviewing information security from August 2014 through December 2014.
The CMS staff members and vendors were not encrypting MIDAS users’ sessions, HHS OIG officials say.