Healthcare.gov Breach Compromises Enrollment Data
Thousands of consumers’ files in the Federally Facilitated Exchanges (FFE’s) Direct Enrollment pathway may have been compromised. The Centers for Medicare & Medicaid Services (CMS) said “anomalous activity” was detected in the portal on Oct. 13 and a breach was declared on Oct. 16. CMS issued a press release on Oct. 19.
“At this time,” CMS reports in the press release, “we believe that approximately 75,000 individuals’ files were accessed.”
Identify Patients in an FFE
FFEs were established pursuant the Patient Protection and Affordable Care Act (ACA) in any state that did not elect to establish a State-based Exchange (SBE). The Direct Enrollment pathway, first launched in 2013, allows agents and brokers to assist consumers with applications for health coverage in the FFE.
Providers should confirm the identity of all new patients enrolled in an exchange to be sure they are who they say they are.
Follow HIPAA Protocol
Federal regulation (45 CFR §155.270) requires each exchange to use standards, implementation specifications, operating rules, and code sets adopted by the U.S. Department of Health and Human Services (HHS) under HIPAA and the ACA when conducting certain electronic transactions with a covered entity. HHS oversees and monitors FFE issuers and non-exchange entities to verify compliance with security and privacy standards.
Exchange, Qualified Dental Plan, and Qualified Health Plan issuers transmit enrollment transactions in files using the Accredited Standards Committee X12 834 Benefit Enrollment and Maintenance Version 5010.
CMS said in the press release that it followed standard and appropriate security and risk protocols for researching and reporting the incident. Providers should have a plan in place for detecting and reporting fraudsters, as well.
Some of your patients may have been affected by this or another breach, or at least heard about a breach, and are concerned for their safety. Consumers believed to be victims of identity theft should file a report with the Federal Trade Commission (FTC) at IdentityTheft.gov. They can also call the FTC Identity Theft Hotline at 1-877-438-4338 or TTY 1-866-653-4261.
“We are actively engaged in and committed to helping those potentially impacted as well as ensuring the protection of consumer information,” CMS said in the press release.
The agent and broker accounts believed to be compromised were deactivated and the Direct Enrollment pathway for agents and brokers was disabled, according to CMS. The agency said last week that they expected to restore the pathway within 7 days. CMS said that other FFE enrollment channels, including HealthCare.gov and the Marketplace Call Center, were not affected and remain operational.
The agency did not mention any protocols the affected individuals should take to protect themselves from identity fraud or offer complimentary identity fraud protection. They did, however, issue a press release on Oct. 26, announcing the 2019 open enrollment period for the Federal Health Insurance Exchange.