Stand up for the facts!

Our only agenda is to publish the truth so you can be an informed participant in democracy.
We need your help.

More Info

I would like to contribute

By Julie Kliegman October 9, 2013

The health care marketplaces have 'no privacy protections,' Cotton says

When it comes to Web design, everyone’s a critic. The Affordable Care Act’s new online marketplaces certainly aren’t an exception. But some Internet complaints directed in President Barack Obama’s general direction go beyond cosmetics, attacking security, too.

Rep. Tom Cotton, R-Ark., who opposes Obamacare, was particularly vocal on MSNBC about the issues he saw with the new system. He said lawmakers now realize some of the downfalls of the system, including technical concerns.

"They realize that the websites aren't ready, that there's no privacy protections, that there's likely to be data breaches," he said.

Now, it’s clear that there are lots of bugs in the online marketplaces where consumers browse and purchase health care plans. There have been reported issues with the live chat function, registration process and speed of service, among other things. It’s not even clear how many people have been able to buy insurance, but it doesn’t seem like very many.

Cotton, though, said that the websites have no privacy protections and are therefore likely to be hacked. We decided to look into it to determine just how vulnerable consumer information is.

Where does your personal data go?

As users navigate, they get pointed toward the marketplace websites appropriate for their specific states. To apply for health insurance, they have to submit some sensitive information, including a Social Security number and last year’s income.

The site itself routs responses through a data hub, so that the Internal Revenue Service, the Department of Homeland Security and the Social Security Administration can verify customers’ identities and confirm eligibility for subsidies to buy health insurance.

This information isn’t stored in the hub itself, though, according to the Centers for Medicare and Medicaid Services, which oversees the online marketplaces. So information isn’t sitting there waiting to be stolen.

There are baseline privacy standards for the marketplaces that come directly from the health care reform legislation itself and previous health privacy laws. All the information collected must be relevant to determining eligibility and enrollment, said Christopher Rasmussen, a Health Privacy Project analyst at the Center for Democracy & Technology.

The information is submitted through secure protocols that government websites have long followed, said George Smith, an expert in the technology and science of cybersecurity.

The U.S. Department of Commerce developed a cybersecurity framework (that we would link to, if not for the government shutdown) that includes guidelines and best practices for organizations to secure their IT systems, designed to complement risk management already in place.

Scott Borg, CEO of the U.S. Cyber Consequences unit, a nonprofit institute that researches the economic consequences of possible cyber attacks, said the marketplaces are more secure than most popular e-commerce sites because they’re less complicated.

Featured Fact-check

"We can expect the health insurance industry websites after the Affordable Care Act is fully operating to be simpler, less numerous, and more like each other," Borg said.  "This will make them easier to secure and, in general, should improve their cyber security."

Potential data breaches

When we asked Cotton’s office about his statement, his staff pointed us to an August report indicating that government agencies pushed back some early security testing deadlines. This is true, but CMS reported later that the security testing was completed in September. That includes security testing done by an independent organization.

The final security authorization for the marketplace websites were completed on Sept. 6, two days behind the original timeline and several weeks before the marketplaces opened in October.

We also looked at an incident of a state website leaking personal data that a spokeswoman from Cotton’s office referred us to. MNsure, the Minnesota marketplace, accidentally emailed a spreadsheet identifying 2,400 insurance agents to an insurance broker’s office.

But that didn’t involve consumer data, and it happened prior to the opening of the MNsure marketplace on Oct. 1. Also, MNsure reported that this was due to human error, not an IT glitch.

Can the marketplace websites be hacked?

Data isn’t lying around for federal employees to take, but we also wanted to see how easy it might be for hackers to access.

"In general, it is very difficult to assess whether any website has adequate data security without conducting an internal security audit or attempting an attack from the outside," said Anton Dahbura, the executive director of the Johns Hopkins University Information Security Institute.

However, we found no evidence that the webpages are any more vulnerable to to attack than other websites associated wtih traditional e-commerce.

"These are actually going to be more secure than most government sites need to be," Borg said.

Our ruling

Cotton claimed that there are no privacy protections in the new online health care marketplaces. However, we found federal privacy regulations in the Affordable Care Act that keep the system’s data hub from storing user data.

The cybersecurity experts we spoke with said that the security precautions in place on are at least as strong as secure e-commerce websites consumers are already accustomed to using. No one we spoke with raised concerns about privacy. The most relevant complaints we saw remain that the websites are slow, not that consumer information is vulnerable.

We rate Cotton’s statement False.

Our Sources

Center for Democracy & Technology, "Privacy and Security in the Affordable Care Act’s Data Hub," July 26, 2013

Center for Medicare and Medicaid Services, "Security of the Marketplace Services Data Hub," Sept. 11, 2013

Center for Medicare and Medicaid Services, "Securing the Health Insurance Marketplace," Sept. 18, 2013

Department of Health and Human Services, "Observations Noted During the OIG Review of CMS’s Implementation of the Health Insurance Exchange--Data Services Hub," Aug. 2013

Email interview with Anton Dahbura, Johns Hopkins University Information Security Institute executive director, Oct. 7, 2013

Email interview with Caroline Rabbitt, spokeswoman for U.S. Rep. Tom Cotton, Oct. 7, 2013

Email interview with George Smith, expert on the science and technology of national security, Oct. 8, 2013

Email interview with Jenni Bowring-McDonough, MNsure spokeswoman, Oct. 7, 2013

Email interview with Richard Olague, Centers for Medicare and Medicaid spokesman, Oct. 4, 2013

E Pluribus Unum, "Open By Design: Why the Way the New Was Built Matters," June 22, 2013, "For Developers," accessed Oct. 7, 2013, "Privacy Policy," accessed Oct. 7, 2013

MNsure, "Website Security Talking Points," accessed Oct. 7, 2013

MSNBC, "Breaking Down the GOP Obamacare Argument," Oct. 3, 2013

PC Mag, "Beware of Fake Obamacare Insurance Marketplace Sites," Oct. 3, 2013

Phone interview with Christopher Rasmussen, Health Privacy Project analyst, Oct. 7, 2013

Phone and email interviews with Scott Borg, U.S. Cyber Consequences Unit CEO, Oct. 8, 2013

Phone interview with Tim Jost, Washington and Lee health policy professor, Oct. 8, 2013

Politico, "HHS To Take Applications Offline This Weekend For ‘Scheduled Maintenance," Oct. 7, 2013

Reuters, "‘The System is Down’: Obamacare Glitches Go Public, Reasons Unclear," Oct. 1, 2013

Slate, "Is the New Obamacare Website Really a ‘Hacker’s Dream?’", Sept. 30, 2013

Slate, "PGSTX0534 Will Not See You Now," Oct. 6, 2013

Star Tribune, "Errant Email Creates Security Breach at MNsure," Sept. 13, 2013

State Government Finance Committee, "Minnesota Health Insurance Exchange Security Update," Feb. 13, 2013

U.S. Government Printing Office, "The Patient Protection and Affordable Care Act," March 23, 2010

Washington Post, "Here’s Why Getting the Obamacare Exchanges to Work Was So Difficult," Oct. 4, 2013

Washington Post, "Obamacare’s Web Site is Really Bad," Oct. 4, 2013

Browse the Truth-O-Meter

More by Julie Kliegman

The health care marketplaces have 'no privacy protections,' Cotton says

Support independent fact-checking.
Become a member!

In a world of wild talk and fake news, help us stand up for the facts.

Sign me up