Stand up for facts and support PolitiFact.
Now is your chance to go on the record as supporting trusted, factual information by joining PolitiFact’s Truth Squad. Contributions or gifts to PolitiFact, which is part of the 501(c)(3) nonprofit Poynter Institute, are tax deductible.
I would like to contribute
When it comes to Web design, everyone’s a critic. The Affordable Care Act’s new online marketplaces certainly aren’t an exception. But some Internet complaints directed in President Barack Obama’s general direction go beyond cosmetics, attacking security, too.
Rep. Tom Cotton, R-Ark., who opposes Obamacare, was particularly vocal on MSNBC about the issues he saw with the new system. He said lawmakers now realize some of the downfalls of the system, including technical concerns.
"They realize that the websites aren't ready, that there's no privacy protections, that there's likely to be data breaches," he said.
Now, it’s clear that there are lots of bugs in the online marketplaces where consumers browse and purchase health care plans. There have been reported issues with the live chat function, registration process and speed of service, among other things. It’s not even clear how many people have been able to buy insurance, but it doesn’t seem like very many.
Cotton, though, said that the websites have no privacy protections and are therefore likely to be hacked. We decided to look into it to determine just how vulnerable consumer information is.
Where does your personal data go?
As users navigate healthcare.gov, they get pointed toward the marketplace websites appropriate for their specific states. To apply for health insurance, they have to submit some sensitive information, including a Social Security number and last year’s income.
The site itself routs responses through a data hub, so that the Internal Revenue Service, the Department of Homeland Security and the Social Security Administration can verify customers’ identities and confirm eligibility for subsidies to buy health insurance.
This information isn’t stored in the hub itself, though, according to the Centers for Medicare and Medicaid Services, which oversees the online marketplaces. So information isn’t sitting there waiting to be stolen.
There are baseline privacy standards for the marketplaces that come directly from the health care reform legislation itself and previous health privacy laws. All the information collected must be relevant to determining eligibility and enrollment, said Christopher Rasmussen, a Health Privacy Project analyst at the Center for Democracy & Technology.
The information is submitted through secure protocols that government websites have long followed, said George Smith, an expert in the technology and science of cybersecurity.
The U.S. Department of Commerce developed a cybersecurity framework (that we would link to, if not for the government shutdown) that includes guidelines and best practices for organizations to secure their IT systems, designed to complement risk management already in place.
Scott Borg, CEO of the U.S. Cyber Consequences unit, a nonprofit institute that researches the economic consequences of possible cyber attacks, said the marketplaces are more secure than most popular e-commerce sites because they’re less complicated.
"We can expect the health insurance industry websites after the Affordable Care Act is fully operating to be simpler, less numerous, and more like each other," Borg said. "This will make them easier to secure and, in general, should improve their cyber security."
Potential data breaches
When we asked Cotton’s office about his statement, his staff pointed us to an August report indicating that government agencies pushed back some early security testing deadlines. This is true, but CMS reported later that the security testing was completed in September. That includes security testing done by an independent organization.
The final security authorization for the marketplace websites were completed on Sept. 6, two days behind the original timeline and several weeks before the marketplaces opened in October.
We also looked at an incident of a state website leaking personal data that a spokeswoman from Cotton’s office referred us to. MNsure, the Minnesota marketplace, accidentally emailed a spreadsheet identifying 2,400 insurance agents to an insurance broker’s office.
But that didn’t involve consumer data, and it happened prior to the opening of the MNsure marketplace on Oct. 1. Also, MNsure reported that this was due to human error, not an IT glitch.
Can the marketplace websites be hacked?
Data isn’t lying around for federal employees to take, but we also wanted to see how easy it might be for hackers to access.
"In general, it is very difficult to assess whether any website has adequate data security without conducting an internal security audit or attempting an attack from the outside," said Anton Dahbura, the executive director of the Johns Hopkins University Information Security Institute.
However, we found no evidence that the healthcare.gov webpages are any more vulnerable to to attack than other websites associated wtih traditional e-commerce.
"These are actually going to be more secure than most government sites need to be," Borg said.
Cotton claimed that there are no privacy protections in the new online health care marketplaces. However, we found federal privacy regulations in the Affordable Care Act that keep the system’s data hub from storing user data.
The cybersecurity experts we spoke with said that the security precautions in place on healthcare.gov are at least as strong as secure e-commerce websites consumers are already accustomed to using. No one we spoke with raised concerns about privacy. The most relevant complaints we saw remain that the websites are slow, not that consumer information is vulnerable.
We rate Cotton’s statement False.
Center for Democracy & Technology, "Privacy and Security in the Affordable Care Act’s Data Hub," July 26, 2013
Center for Medicare and Medicaid Services, "Security of the Marketplace Services Data Hub," Sept. 11, 2013
Center for Medicare and Medicaid Services, "Securing the Health Insurance Marketplace," Sept. 18, 2013
Department of Health and Human Services, "Observations Noted During the OIG Review of CMS’s Implementation of the Health Insurance Exchange--Data Services Hub," Aug. 2013
Email interview with Anton Dahbura, Johns Hopkins University Information Security Institute executive director, Oct. 7, 2013
Email interview with Caroline Rabbitt, spokeswoman for U.S. Rep. Tom Cotton, Oct. 7, 2013
Email interview with George Smith, GlobalSecurity.org expert on the science and technology of national security, Oct. 8, 2013
Email interview with Jenni Bowring-McDonough, MNsure spokeswoman, Oct. 7, 2013
Email interview with Richard Olague, Centers for Medicare and Medicaid spokesman, Oct. 4, 2013
E Pluribus Unum, "Open By Design: Why the Way the New Healthcare.gov Was Built Matters," June 22, 2013
HealthCare.gov, "For Developers," accessed Oct. 7, 2013
MNsure, "Website Security Talking Points," accessed Oct. 7, 2013
MSNBC, "Breaking Down the GOP Obamacare Argument," Oct. 3, 2013
PC Mag, "Beware of Fake Obamacare Insurance Marketplace Sites," Oct. 3, 2013
Phone interview with Christopher Rasmussen, Health Privacy Project analyst, Oct. 7, 2013
Phone and email interviews with Scott Borg, U.S. Cyber Consequences Unit CEO, Oct. 8, 2013
Phone interview with Tim Jost, Washington and Lee health policy professor, Oct. 8, 2013
Politico, "HHS To Take Healthcare.gov Applications Offline This Weekend For ‘Scheduled Maintenance," Oct. 7, 2013
Reuters, "‘The System is Down’: Obamacare Glitches Go Public, Reasons Unclear," Oct. 1, 2013
Slate, "Is the New Obamacare Website Really a ‘Hacker’s Dream?’", Sept. 30, 2013
Slate, "PGSTX0534 Will Not See You Now," Oct. 6, 2013
Star Tribune, "Errant Email Creates Security Breach at MNsure," Sept. 13, 2013
State Government Finance Committee, "Minnesota Health Insurance Exchange Security Update," Feb. 13, 2013
U.S. Government Printing Office, "The Patient Protection and Affordable Care Act," March 23, 2010
Washington Post, "Here’s Why Getting the Obamacare Exchanges to Work Was So Difficult," Oct. 4, 2013
Washington Post, "Obamacare’s Web Site is Really Bad," Oct. 4, 2013
Read About Our Process
In a world of wild talk and fake news, help us stand up for the facts.