October 23, 2018 at
According to an announcement made by the CMS (Centers for Medicare and Medicaid Services) last Friday, the organization has recently experienced a massive data breach. The announcement claims that around 75,000 individuals were affected and that their personal data got exposed during the incident.
While the details have yet to be released, it was confirmed that the hackers’ accounts have been deactivated. Additionally, the CMS also deactivated the tool used for bypassing system’s defenses.
Hackers used portal’s behind-the-scenes system to conduct an attack
The attack was made possible due to the Federally Facilitated Exchange’s Direct Enrollment Pathway. This is a method that agents and brokers use to contact service’s customers and convince them to take health insurance. According to the report, the pathway was likely compromised between October 13 and October 16.
However, despite the breach, HealthCare.gov, which is linked to CMS, remains online and operational, as well as the Marketplace Call Center. Additionally, the pathway will be restored at some point during the next week.
As for the individuals affected by the attack, CMS admin, Seema Verma, stated that they are being contacted and warned about the incident.
HealthCare.gov was originally established by the former US President, Barack Obama, under the healthcare law titled Affordable Care Act. The website served as a portal for signing up for insurance plans, and users had to provide large amounts of personal data to complete the process. Apart from their names and addresses, they also had to provide Social Security numbers and other sensitive information.
It appears that hackers did not target the website directly, but rather its background system which is normally used by brokers and agents working for the services. By compromising the pathway, they gained unrestricted access to this information, which is what makes the attack all the more serious.
The hack is not the first incident surrounding HealthCare.gov
According to Verma, a new enrollment in healthcare plans will start soon, on November 1st. Those who agree to enroll in health insurance at this point will not be endangered by a security breach. While this is the first large breach of this kind, it is not the first time that HealthCare.gov has gained negative publicity. Prior to this incident, there was a controversy surrounding the service in 2015. On that occasion, it was discovered that the portal is sharing similar personal information with marketing companies.
While this incident clearly did not occur as part of HealthCare.gov’s plans, it has still led many to doubt the quality of their service, or at least, the security of provided data. So far, it is unclear who is behind the hack, or what do they plan to do with stolen data. Although, the usual practice includes selling it on the dark web, which is what makes dealing with the consequences the most important move to make right now.