Update below The Centers for Medicare and Medicaid and the Department of Health and Human Services are being directed to put into practice what they frequently preach: Do a better job of protecting people’s personally identifiable information.
Lest some of you have been going through withdrawal from a lack of controversy over the HealthCare.gov federal exchange during the holidays, rest easy. Republican Rep. Joe Pitts from Pennsylvania introduced a bill this week that would require HHS to notify individuals within two business days of any breach on the federal and state healthcare insurance exchanges, created by the Affordable Care Act, that jeopardizes personal data and information.
“With Healthcare.gov continuing to undergo maintenance and construction, computer security experts have warned that this data could be vulnerable to hackers,” said Pitts in a statement. “Identity theft can be devastating to individuals and families. We need to make sure that the government promptly notifies exchange enrollees if their data is stolen.”
When Investment Rhymes with Canada
Canada has a proud history of achievement in the areas of science and technology, and the field of biomanufacturing and life sciences is no exception.
Update The House approved the proposal for the Health Exchange Security and Transparency Act by a vote of 291-122 with 67 Democrats crossing the aisle to support the bill.
The Obamacare insurance exchange bill follows multiple hearings held last fall on glitches associated with the unfinished HealthCare.gov website. In response to the proposal, HHS published a fact sheet pointing out that to date there have not been any successful security attacks on the website, according to Politico. House Oversight Committee Chairman Darrell Issa claimed that the security systems were insufficiently tested. He also accused HHS Secretary Kathleen Sebelius of misleading Congress about the security risks in a letter this week.
Although a spokesman for Senate Majority Leader Harry Reid was not optimistic it would reach the Senate floor, it seems like there should be an effective way to monitor performance and hold the government accountable for keeping users’ information private and informing people of any security violations. It would seem hypocritical for the government not to consent to at least some oversight on this subject.
The Government Accountability Office took CMS to task for neither indicating how many people were affected in data breaches, nor including the risk level, nor the rationale for the risk determination. It was one of eight government departments evaluated in the report, which also included Veterans Affairs, the Securities and Exchange Commission and the IRS.
In 58 data breaches involving personally identifiable information, CMS did not document affected individuals in 28 cases. It also failed to identify the risk level in 56 out of the 58 cases. The problem with not identifying the risk level, the report noted, is that it creates the danger of improperly assessing the likely risk of harm associated with each incident.
In its defense, CMS officials said 71 percent of approximately 1,400 incidents reported in 2013 were paper incidents. These officials stated that most of these cases involved PII being sent to the wrong patient or provider.
[Photo Credit: Pong]
