July 10 2014
Jillian Kay Melchior
Covered California jeopardized the personal-identification information of at least 378 Obamacare enrollees, according to records reviewed by National Review Online. In most of these instances, navigators sent consumers’ confidential data to Covered California representatives using an “email [that] was not encrypted or otherwise secure,” violation notices stated — a direct violation of the health exchange’s policy.
Dana Howard, a spokesman for the health exchange, says “there is no indication [that consumers’ personal-identification information] was compromised,” adding that these violations constitute “a very minimal risk.” But cyber-security experts contacted by NRO expressed significant concerns.
At least seven times, navigators sent Social Security numbers insecurely. Furthermore, though the personal data sent through unencrypted e-mail varied by incident, information sent insecurely included driver’s-license numbers, immigration-document numbers, household income, employment information, health conditions, home addresses and phone numbers, birth dates, eye and hair color, and weight, to name a few examples.
Michael Gregg, a cyber-security expert who has testified before Congress about risks at Healthcare.gov, tells NRO that personal information should never be sent unencrypted because there’s a risk of unauthorized access. “Would you write your Social Security number on a postcard and drop it off at the post office?” Gregg asked. “I wouldn’t. Think of e-mail as a postcard. Anything written on the back of a postcard can be read by anyone, e-mail is basically the same.”
Covered California’s spokesman objected to the postcard analogy, calling it “inaccurate.”
Gregg continued: “E-mail is clear text; so in transit, e-mail can be intercepted and the contents disclosed to hackers or other unauthorized persons. It’s easy to do, and if the individual is checking their mail on an open WiFi connection, at a hotel, coffee shop, etc., it’s very easy.” Even if an unencrypted message reaches its intended recipient, breaches can still occur, because that data is often retained in e-mail systems, computers, smartphones, or tablets, he said.
According to Covered California records, one navigator told a security consultant that she was conducting enrollments over the phone and receiving and transmitting paperwork by e-mail because she had no office for Covered California work.
William Nolte, a public-policy expert at the University of Maryland’s Cybersecurity Center, tells NRO that when private personal information is sent by e-mail, the technical risk is “extremely high — it’s negligently high,” even if it’s somewhat unlikely a bad actor will stumble across the opening and exploit it.
The ability to access an insecure e-mail is “within the technical capabilities of God knows how many thousands of people,” Nolte says. “You don’t have to have a lot of skill. Now, the odds that any individual is going to get his identity stolen or in some other way be harmed: You can say that in an actuarial sense, it’s pretty low. But I don’t think that excuses the authority or contractor. I don’t think they’re being diligent in protecting the information.”
When Covered California learns of information sent insecurely, it informs the navigator grantee of the violation. That organization’s primary contact is asked to review and sign Covered California’s privacy- and security-training manual and to ensure that all navigators “immediately cease and desist from sending [personally identifying information] via unsecure methods,” according to several such letters reviewed by NRO.
One navigator was linked to at least nine incidents where confidential consumer information was sent unsafely. But to date, Covered California has not fired any navigators for violating its privacy and security policies, Howard says, because “this is a policy, it’s not a requirement,” and because “this is just a very small likelihood of anything taking place, of any identifiable information being compromised.”
But Nolte says that even if the odds were minimal, it’s still bad practice. “You have a fiduciary responsibility with that information, and you protect that,” he says. “It seems to me that in doing this — I don’t care if it’s 1 percent of [Covered California] employees who do it or 2 percent, or 300 cases or 8,000 — it’s irresponsible, and there’s no other word for it.”
— Jillian Kay Melchior is a Thomas L. Rhodes Fellow for the Franklin Center for Government and Public Integrity. She is also a Senior Fellow at the Independent Women’s Forum.