WASHINGTON -- Amid the outrage over the disastrous startup of the healthcare.gov website, concerns are also being raised about privacy and safety of the personal information that consumers share when signing up and searching for health care plans through federal and state websites.
Last week, Health and Human Services Secretary Kathleen Sebelius told the Senate Finance Committee that it was "possible" for a felon to become a "navigator," the people hired to assist consumers with the enrollment process. According to Sebelius, there is no requirement for navigators to submit to background checks.
In a House hearing Wednesday, Oversight Committee Chairman Rep. Darrell Issa, R-Vista, said "there were material failures in the security" of the federal website. He claimed that "hackers may soon find those vulnerabilities."
The federal health exchange handles sign-ups for 36 states. California has its own exchange, Covered California. It collects such data as Social Security numbers and income, which are used to determine eligibility for tax credits. Stephen Parente, a University of Minnesota health economist who consulted for Republican Sen. John McCain, told Bloomberg News "this is the opportunity (identity thieves) have been waiting a lifetime for: a brand-new reason for people to put in personal information who otherwise wouldn't have done it before."
So just how secure are the personal data being handled by the Obamacare exchanges?
In California, navigators and certified enrollment counselors, who are like navigators but with less responsibility, are required to undergo about two and a half days of training on the system and the basics of the Affordable Care Act and then take a competency exam, according to Larry Hicks of Covered California.
"At the same time, they have to submit a personal disclosure form," said Hicks, "that they've never been involved in any serious crimes -- felonies specifically. And they undergo a criminal-background check and they are fingerprinted."
In other states, the navigators and certified enrollment counselors and their equivalents are generally hired by local institutions, such as the University of Arkansas, the Epilepsy Foundation of Florida, Visiting Nurse Services of Iowa, Ascension Health, Ohio Association of Foodbanks and the National Urban League. And these groups can implement stricter background requirements if they wish, according to an HHS spokesman.
Once information is submitted through the state or federal website, it is sent electronically to a federal data hub, where it is verified by as many as seven federal agencies: Social Security Administration, IRS, Department of Homeland Security, Department of Defense/TRICARE, Veterans Health Administration, Office of Personnel Management and Peace Corps. According to an HHS spokesman, the list could expand in the future.
After verification, notification is sent back to the state or federal exchange, where the consumer's information is submitted to the health care provider and erased from the exchange, according to Hicks.
Obamacare requires individuals to have insurance starting in 2014. Compliance is verified by the IRS when individuals submit tax returns, ensuring that individuals don't just cancel their policies after the initial enrollment, according to an HHS official.
Because Obamacare bars health insurers from denying coverage based on pre-existing conditions, no medical information needs to be provided by the consumer, Hicks said. However, there is always the potential for theft of other data, such as Social Security numbers, through the websites themselves, through the data hub or through the agencies that receive information through the data hub.
These days, there's no guarantee that any large institution's databases can't be hacked, said one security expert. But as those institutions go, government sites are as secure as any.
"Any time you give the government, or anybody, any data, chances are not bad that they're going to get hacked," said Charles Intriago, president of the Association of Financial Crime Specialists. "Your data is as secure with the government as it is with a bank, in my opinion."
At two House hearings Wednesday -- the one before the Oversight Committee and another in the Homeland Security Committee -- many Republicans pressed the argument that the federal Obamacare website was launched hastily with security flaws, while Democrats countered that the hearings were just another attempt to scare people away from signing up for coverage.
Responding to questions from Oversight committee member Rep. Jason Chaffetz, R-Utah, Health and Human Services Chief Information Officer Frank Baitman said that an "ethical hacker" was hired to identify potential weaknesses in the system before the launch. He found seven to 10 weaknesses, not all of which were considered serious. Baitman said the majority had been remediated, but not all.
Issa redacted the specifics of the issues, because the committee decided it didn't want to "give a road map to hackers." It's unclear how much these issues actually jeopardize any user information.
(c)2013 The Orange County Register (Santa Ana, Calif.)
Visit The Orange County Register (Santa Ana, Calif.) at www.ocregister.com
Distributed by MCT Information Services