It’s the biggest change in health care in nearly half a century, and perhaps unsurprisingly it’s already become a tool for scammers. Though open enrollment under the Affordable Care Act (aka Obamacare) doesn’t begin until Oct. 1, scam artists – masquerading as government representatives — have tricked a number of consumers into coughing up personal information over the phone. That’s just the opening shot. Once millions of consumers begin providing unprecedented amounts of personal data to various health exchanges through countless state and federal networks, the real assault will begin.
Hackers of all stripes are licking their chops in anticipation of a treasure trove of high value information ripe for the picking. The burning question: Are the data conduits secure? And what’s at stake if your information is stolen? Best case: your financial well-being, if new accounts are opened in your name. Worst case: your life, if medical treatment is obtained in your name and your medical files are co-mingled — leading to incorrect diagnosis and treatment. (If you’re worried that someone has fraudulently opened accounts in your name, you should request copies of your medical records and look for errors. You can also use a free tool like Credit.com’s Credit Report Card to monitor your credit for unexplained changes – which could stem from unpaid bills for fraudulently obtained healthcare. If something doesn’t seem right, you can dig deeper and get your three credit reports for free once a year.)
The politics of the Affordable Care Act are irrelevant. The issue for me is privacy and data security and whether you’re for Obamacare or against it, there are two ways the program’s rollout could put your personal information at risk:
A Potentially Insecure Data Collection Process
When it comes to keeping our information safe, the government appears to be playing a dangerous game of chicken.
An August report from the Inspector General revealed that the chief information officer for the Centers for Medicare & Medicaid Services, or CMS, (which will run the data hub responsible for verifying applicants’ personally identifying information with various federal agencies including the IRS and the Social Security Administration), won’t sign off on data security until Sept. 30, one day before health insurance marketplaces are scheduled to open. That seems too close for comfort to me.
The Inspector General reported that such a tight deadline means the information chief “may not have a full assessment of system risks and security controls needed” to collect our data safely. Bottom line: The marketplaces are going live whether the data they gather is protected or not.
Optimists can take some comfort in the fact that, as CMS administrator Marilyn Tavener told Congress in July, the data hubs—the focus of much partisan huffing and puffing—are simply conduits. They are not databases, and will not retain any personal information.
Frankly, it’s not as though the institutions currently gathering our data do a bang-up job protecting privacy, either.
“I don’t want to say it will be better privacy-wise, but it can’t be any worse,” says my colleague Eduard Goodman, chief privacy officer of Identity Theft 911. “At least with a government program you will have some accountability.”
That said, there is absolutely no room for trial and error when dealing with information so vital to our health and valuable to those who would steal and exploit it for their personal gain.
Lack of Proper Screening and Training
The federal government spent $67 million to hire “navigators” to help people enroll in Obamacare. As Health and Human Services Secretary Kathleen Sebelius told USA Today, navigators are needed to help consumers traverse the complicated world of private insurance, and dispel myths about the new program.
Many in the public and private sectors have expressed concern that navigators will have access to extremely sensitive personal information, including Social Security numbers, without proper screening, training and oversight required to prevent data loss or theft.
In a letter sent to the HHS Secretary less than one month ago, 13 attorneys general warned, “As it now stands, it is inevitable that HHS’s vague ‘standards’ will result in improperly screened or inadequately trained personnel.”
The administration counters that strong privacy measures exist already. The final rule implementing the program requires navigator agencies to be pre-screened and closely monitored. It argues that navigators will receive up to 30 hours of initial training that includes preparation on privacy and security; will be tested before starting work; will not have access to applicants’ online accounts; and their work will be monitored by CMS.
The back and forth has continued, but the concerns expressed by congressional critics aren’t entirely unfounded. No matter how much training and oversight they receive, navigators will have access to lots information about lots of Americans, and it is not unlikely that some may steal that data for their own profit.
We can do better. As the ID Theft Resource Center points out, all navigator applicants should undergo criminal background and fingerprint checks. Georgia, Utah and Nevada enacted tougher requirements on navigator certification and licensure. As long as such efforts don’t devolve into obstructionism, states have broad power to protect Americans from fraud and, as the administration points out, should use that power.
Inevitably, some identity thieves will try to pose as navigators to scam consumers into handing over private information. Reports of scams have already surfaced. If you receive a call from anyone claiming to be a navigator, ask for their contact information, independently confirm their authenticity and then return the call. Search the CMS Center for Consumer Information & Insurance Oversight to locate those organizations in your state that are serving as navigators.
The Affordable Care Act represents a huge step forward in our drive to give all Americans access to health care. Unfortunately, if we fail to properly secure health information and protect patient privacy, the door will be open to identity thieves, hackers and scam artists thereby creating an environment of distrust and insecurity which will ultimately jeopardize the health of the program.