Dive Brief:
- A review of the Multidimensional Insurance Data Analytics System (MIDAS), described as the backbone of the ACA's health insurance marketplaces, has revealed significant vulnerabilities in how the system stored customers' personal information including names, birth dates, Social Security numbers and financial account information.
- The issues have not been publicly detailed "because of the sensitive nature of the information," the report states, but they included 135 database vulnerabilities, of which almost two dozen were considered "potentially severe or catastrophic."
-
The report adds CMS was verified to have remediated all of the concerns before the release of the final report.
Dive Insight:
Although the issues are reported to be resolved, HealthCare.gov stands to take another hit to its consumer trust and confidence levels, particularly following the recent spate of high-profile cybersecurity attacks on health insurance companies.
Among those issues detailed in the report, CMS:
- Neglected to disable generic accounts used for testing;
- Failed to encrypt user sessions;
- Failed to undergo automated vulnerability assessments based on known cyberattacks; and
- Utilized a shared read-only account for the database that contained the personally identifiable information.
The failure to encrypt user sessions, per standard practice for financial websites, was "inexcusable for such sensitive data," Michelle De Mooy, deputy director for consumer privacy at the Center for Democracy & Technology, told the Associated Press.