Close Close
Popular Financial Topics Discover relevant content from across the suite of ALM legal publications From the Industry More content from ThinkAdvisor and select sponsors Investment Advisor Issue Gallery Read digital editions of Investment Advisor Magazine Tax Facts Get clear, current, and reliable answers to pressing tax questions
Luminaries Awards

Retirement Planning > Social Security

PPACA dashboard system skimped on security, officials say

Your article was successfully shared with the contacts you provided.

Centers for Medicare & Medicaid Services (CMS) was using only weak security measures to protect a performance dashboard data warehouse as recently as late 2014, according to a watchdog agency.

The Multidimensional Insurance Data Analytics System (MIDAS) has been in operation since October 2013, according to the U.S. Government Accountability Office (GAO). 

See also: Chinese hackers steal 4M federal personnel records: Here’s what the breach means for insurance

CMS started feeding consumers’ personally identifiable information, including income and Social Security information, into the system after it was up and running, and the CMS staff began to conduct a formal privacy analysis only after the role of the system expanded, GAO officials reported in September 2014.

Officials at another watchdog agency, the U.S. Department of Health and Human Services Office of Inspector General (HHS OIG), say — in a report summary that was completed in May but held for release until this month — that HHS OIG auditors found holes in MIDAS security when reviewing information security from August 2014 through December 2014.

The CMS staff members and vendors were not encrypting MIDAS users’ sessions, HHS OIG officials say.

MIDAS users could read the data in the system using a shared account, officials say.

Andrew Slavitt, the acting CMS administrator, wrote in a response to the HHS OIG report that CMS had addressed all of the serious vulnerabilities identified within a week of being told about them. And CMS addressed a majority of the other findings within 30 days of being told about them, Slavitt said.

MIDAS is an internal CMS system accessible only by authorized CMS employees and support personnel, Slavitt said.

“Use of MIDAS must be requested and approved based on appropriate justification before staff or a contractor is granted access,” Slavitt said.

The full text of the HHS OIG audit report does not appear to be publicly available.


© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.