Last week’s hack of the personal information of 80 million Anthem customers and employees has alarmed people throughout the health-care and financial services industries, but it could be small potatoes compared to the consequences of a (likely) hack of the federal insurance exchange.
Anthem quickly notified affected parties and the Federal Bureau of Investigation, and hired a cyber-security firm to help remedy the consequences. Apparently no credit card information or medical records were involved, but the hackers did obtain names, birthdays, addresses, Social Security numbers, income data, and medical ID numbers. That is a lot of information.
At this writing the speculation is that the Chinese government did the hacking. It is less interested in applying for bogus credit cards, and more interested in compromising the integrity of employees of defense contractors and government agencies. But who really knows?
If We Screw You, We Won’t Tell
Apparently, credit card numbers aren’t very valuable—it is easy enough to cancel a credit card and, after the hacks of Target and other large retailers, the black market is flooded with such information. Remember supply and demand? The New York Times reports that medical records are fetching $251 each on the black market, while a credit-card record gets a mere 33 cents. We have been assured that medical records themselves were not released in the Anthem hack, but if the medical ID numbers were, it shouldn’t be hard for thieves to open the door to the records themselves.
An article in The Hill reports that Social Security numbers alone are worth ten to twenty times as much as a credit card number. It says, “unlike credit cards, Social Security numbers are never reissued.”
At least Anthem notified its members that the breach had taken place, allowing them to take defensive actions to ward off violations. Watchdog.org reports that the federal health exchange is under no obligation to notify users of any similar intrusions. The article reports that consumer advocates requested at least notification and investigation when a breach is detected, but the Department of Health and Human Services responded, “We do not plan to include specific notification procedures in the final rule. Consistent with this approach, we do not include specific policies for investigation of data breaches in this final rule.”
Wow! This is like hanging a “Breach Me” banner on the healthcare.gov website. What could go wrong?
The Feds Will Share Your Info With Everyone Voluntarily
Lest you get up on your high horse and dismiss any concerns here, the official “Privacy Act Statement” from healthcare.gov reminds you that by applying for coverage you “represent that you have permission from all of the people whose information is on the application to both submit their information to the Marketplace, and receive any communications about their eligibility and enrollment.” It reminds you that providing your Social Security number is “voluntary,” but failure to do so will prevent you from getting coverage and subject you to a penalty. Further, if you fail to provide correct information, “you may be subject to a penalty and other law enforcement action.” Sounds like a pretty Orwellian definition of “voluntary” to me.
But don’t worry, it’s not like they plan to share this information very widely, just with:
- “Other federal agencies, (such as the Internal Revenue Service, Social Security Administration and Department of Homeland Security), state agencies (such as Medicaid or [the Children’s Health Insurance Program]) or local government agencies. We may use the information you provide in computer matching programs with any of these groups to make eligibility determinations, to verify continued eligibility for enrollment in a qualified health plan or Federal benefit programs, or to process appeals of eligibility determinations. Information provided by applicants won’t be used for immigration enforcement purposes;
- Other verification sources including consumer reporting agencies;
- Employers identified on applications for eligibility determinations;
- Applicants/enrollees, and authorized representatives of applicants/enrollees;
- Agents, Brokers, and issuers of Qualified Health Plans, as applicable, who are certified by CMS who assist applicants/enrollees;
- CMS contractors engaged to perform a function for the Marketplace; and
- Anyone else as required by law or allowed under the Privacy Act System of Records Notice associated with this collection.”
See? Chinese hackers aren’t even on the list, so you have nothing to worry about.