D.C. Health Exchange Needs Broker Identity Theft Posse

The builders of the Affordable Care Act health insurance exchange system once wondered whether agents and brokers would have a role in the health insurance market.

Now, the managers of the ACA public exchange for the District of Columbia are turning to brokers to help persuade more users to protect themselves against the effects of a recent data breach.

The breach, which was discovered March 6 and announced March 8, exposed the personal information of about 56,415 exchange users, including 17 members of Congress. Data thieves posted at least two batches of data, including the Social Security numbers and email addresses of at least some users, on identity information markets.

Mila Kofman, executive director of the D.C. Health Benefit Exchange Authority, the agency in charge of the DC Health Link exchange, testified Wednesday that the exchange hopes brokers and business organizations will help it get more exchange users’ attention, warn them that thieves might have sold their Social Security numbers and other personal data, and persuade them to sign up for free credit bureau identity theft defense services.

“We did two briefings for our brokers,” Kofman said, at a hearing on the breach organized by the House Oversight cybersecurity subcommittee and the House Administration oversight subcommittee. “Ninety-two percent of our employers have a broker, and we asked our brokers to notify their clients about this breach.”

What It Means

Aside from needing you to help consumers plan for the future and protect themselves against mortality, morbidity and longevity risk, financial services organizations need you to get people to pay attention when identity thieves have put information about their home addresses and Social Security numbers up for sale on the “dark web.”

In the long run, the hacking itself could be of as much concern for retirement planners in the District of Columbia as for health insurance brokers, because criminals could try to use any DC Health Link data purchased to set up investment accounts under fake names, or even to try to steal cell phones from specific homes and use a combination of the cell phones and the Social Security numbers to take over clients’ bank accounts, mutual funds, annuities, life insurance policies, or other financial services accounts and assets.

DC Health Link

Congress included the ACA public exchange system in the Affordable Care Act, a package of two statutes passed in 2010. The District of Columbia and individual states run local ACA exchanges in some jurisdictions, and the Centers for Medicare and Medicaid Services runs a federal program, HealthCare.gov, for jurisdictions unable or unwilling to run their own exchange programs.

Congress tried to show its solidarity with other exchange users by requiring members of Congress and some congressional aides to get their own health coverage through the exchange system. Because of that rule, many members of Congress and other exchange users get their coverage through DC Health Link.

In March, the exchange had 14,547 individual coverage enrollees and 86,482 enrollees in 5,324 group plans, according to an enrollment summary included in an exchange board meeting document packet.

Kofman noted in the written version of her hearing testimony that DC Health Link faces an average of 2,000 malicious attacks per day and has a cybersecurity program that includes technology from the kinds of providers used by U.S. military and intelligence agencies.

The Breach

The breach appears to be related to a reporting system configuration error that has been in place since 2018, Kofman said at the hearing.

Although the breach affected the reporting system, not the main enrollment system, some enrollees’ records in the reports included many different data fields.

In addition to fields for an enrollee’s name, Social Security number and home address, the system included data fields for date of birth, gender, health coverage provider, coverage dates, employer name, race, ethnicity and citizenship status.

The Credit Bureau Monitoring Offer

DC Health Link began notifying the FBI and other relevant agencies about the breach within minutes of discovering it, and it notified the users who might have been affected by sending out emails and by putting a special data breach page and a warning pop-up notice on its website, Kofman said.

Eleanor Norton, the delegate representing the District of Columbia in the House, noted that the open rates for the breach notification emails ranged from 22% to 32%.

“So, theoretically, many individuals impacted by the breach are not aware that their data was stolen,” Norton said.

Norton asked Kofman whether DC Health Link has considered using text notifications, telephone calls or paper mail to tell users about the breach.

“We looking at all options available,” Kofman said.

Kofman told Norton that the exchange is using identity theft protection service take-up rates as a measure of the effectiveness of the notification effort.

About 19.1% of the users notified have taken up identity theft protection tracking for the Experian credit bureau system, Kofman said. That compares with a typical Experian identity theft tracking service take-up rate of about 4% for average data breach victims, she added.

“Obviously, we want everyone whose information was stolen to avail themselves of this protection,” Kofman said.

(Image: jijomathaidesigners/Shutterstock.com)