The health care marketplaces have "no privacy protections."

Tom Cotton on Thursday, October 3rd, 2013 in an MSNBC interview

The health care marketplaces have 'no privacy protections,' Cotton says

U.S. Rep. Tom Cotton discusses healthcare.gov privacy concerns on MSNBC.

When it comes to Web design, everyone’s a critic. The Affordable Care Act’s new online marketplaces certainly aren’t an exception. But some Internet complaints directed in President Barack Obama’s general direction go beyond cosmetics, attacking security, too.

Rep. Tom Cotton, R-Ark., who opposes Obamacare, was particularly vocal on MSNBC about the issues he saw with the new system. He said lawmakers now realize some of the downfalls of the system, including technical concerns.

"They realize that the websites aren't ready, that there's no privacy protections, that there's likely to be data breaches," he said.

Now, it’s clear that there are lots of bugs in the online marketplaces where consumers browse and purchase health care plans. There have been reported issues with the live chat function, registration process and speed of service, among other things. It’s not even clear how many people have been able to buy insurance, but it doesn’t seem like very many.

Cotton, though, said that the websites have no privacy protections and are therefore likely to be hacked. We decided to look into it to determine just how vulnerable consumer information is.

Where does your personal data go?

As users navigate healthcare.gov, they get pointed toward the marketplace websites appropriate for their specific states. To apply for health insurance, they have to submit some sensitive information, including a Social Security number and last year’s income.

The site itself routs responses through a data hub, so that the Internal Revenue Service, the Department of Homeland Security and the Social Security Administration can verify customers’ identities and confirm eligibility for subsidies to buy health insurance.

This information isn’t stored in the hub itself, though, according to the Centers for Medicare and Medicaid Services, which oversees the online marketplaces. So information isn’t sitting there waiting to be stolen.

There are baseline privacy standards for the marketplaces that come directly from the health care reform legislation itself and previous health privacy laws. All the information collected must be relevant to determining eligibility and enrollment, said Christopher Rasmussen, a Health Privacy Project analyst at the Center for Democracy & Technology.

The information is submitted through secure protocols that government websites have long followed, said George Smith, an expert in the technology and science of cybersecurity.

The U.S. Department of Commerce developed a cybersecurity framework (that we would link to, if not for the government shutdown) that includes guidelines and best practices for organizations to secure their IT systems, designed to complement risk management already in place.

Scott Borg, CEO of the U.S. Cyber Consequences unit, a nonprofit institute that researches the economic consequences of possible cyber attacks, said the marketplaces are more secure than most popular e-commerce sites because they’re less complicated.

"We can expect the health insurance industry websites after the Affordable Care Act is fully operating to be simpler, less numerous, and more like each other," Borg said.  "This will make them easier to secure and, in general, should improve their cyber security."

Potential data breaches

When we asked Cotton’s office about his statement, his staff pointed us to an August report indicating that government agencies pushed back some early security testing deadlines. This is true, but CMS reported later that the security testing was completed in September. That includes security testing done by an independent organization.

The final security authorization for the marketplace websites were completed on Sept. 6, two days behind the original timeline and several weeks before the marketplaces opened in October.

We also looked at an incident of a state website leaking personal data that a spokeswoman from Cotton’s office referred us to. MNsure, the Minnesota marketplace, accidentally emailed a spreadsheet identifying 2,400 insurance agents to an insurance broker’s office.

But that didn’t involve consumer data, and it happened prior to the opening of the MNsure marketplace on Oct. 1. Also, MNsure reported that this was due to human error, not an IT glitch.

Can the marketplace websites be hacked?

Data isn’t lying around for federal employees to take, but we also wanted to see how easy it might be for hackers to access.

"In general, it is very difficult to assess whether any website has adequate data security without conducting an internal security audit or attempting an attack from the outside," said Anton Dahbura, the executive director of the Johns Hopkins University Information Security Institute.

However, we found no evidence that the healthcare.gov webpages are any more vulnerable to to attack than other websites associated wtih traditional e-commerce.

"These are actually going to be more secure than most government sites need to be," Borg said.

Our ruling

Cotton claimed that there are no privacy protections in the new online health care marketplaces. However, we found federal privacy regulations in the Affordable Care Act that keep the system’s data hub from storing user data.

The cybersecurity experts we spoke with said that the security precautions in place on healthcare.gov are at least as strong as secure e-commerce websites consumers are already accustomed to using. No one we spoke with raised concerns about privacy. The most relevant complaints we saw remain that the websites are slow, not that consumer information is vulnerable.

We rate Cotton’s statement False.