There are many pieces to the massive Federal exchange that enrolls people for insurance under the Affordable Care Act (ACA, “Obamacare.”) One of them allows insurance brokers and agents to enroll potential beneficiaries directly. (This is different from the consumer-facing part of the exchange, where consumers can enroll themselves.) On October 13, 2018, the Centers for Medicare and Medicaid Services (CMS) detected “anomalous activity” and by October 16, confirmed that a breach had cooccurred. About 75,000 individuals’ records were stolen. CMS shut down the system on October 20 to install new security measures and planned to have it back online by October 27.

CMS was unusually close-mouthed about the breach, noting only that it was contacting those affected and would offer them identity theft protection. This being the case, we can only speculate about what exactly happened. It could have been as something as simple as an agent leaving their password on a Post-It Note under their keyboard, or as sophisticated as exploiting an unknown fundamental vulnerability in the myriad of software packages that make up the entire exchange system. It must also be remembered that the Exchange software talks to several other systems, including the IRS, and the breach may have come from anywhere in the chain. A 2015 report by the HHS Inspector General found the that the whole healthcare.gov system suffered from some vulnerabilities which had not been rectified as of the date of the report. It is now, of course, three years later.
What Lessons Can We Learn From This?
Because CMS has explained virtually nothing about how the breach happened, it is hard to tell what lessons we can draw from it – other than to note that so far, any system that humans can attempt to secure, humans can find a way to penetrate. No system is entirely safe.
Because CMS did not respond to questions, we do not know, for example, whether end-to-end encryption was used for data transmission, and we do not know if the particular data files accessed were encrypted. Encrypting data in both storage and transmission provides an additional layer of protection – in the ideal case, even if the hackers get the data, they can’t use it.
Was It An Inside Job?
Security officials in both the public and the private sectors are well aware that even with all recommended safeguards in place, they are still vulnerable to hacks by employees or other trusted agents. After all, someone has to be able to access that data to use it. Even if the USB ports on the laptops and desktops are filled with glue, even if biometric identifiers are used, an insider can dump data, zip it into a file, and send it to cloud storage, where it can be accessed by anyone with access to that portion of the cloud. And that will include a population beyond one’s own employees. A really sophisticated hacker can keep events from being logged or modify the logs so that there is no trace that the transmission ever happened. Based on the information CMS was willing to release, we cannot conclude that this was not an inside job. The only fact that militates against it is that the amount of data stolen was so small. If someone were really trying to make a killing on the dark web, they would steal far more. Perhaps this breach was just a “proof of concept.” Or it may merely be a case of unauthorized access. We just don’t know.
Trust? Verify? But?
The experiences of the military and the National Security Agency (NSA) with insider theft of data in recent years suggests that even the steps the military and the intelligence services have taken cannot completely protect them from inside jobs. Edward Snowden, Chelsea Manning, and Reality Winner all were thoroughly vetted and had authentic credentials. Still, the data got out. (Perhaps it is true, as was said in the early data of the web, that “…data wants to be free.”)
No One Is Safe
Security experts repeatedly tell us that our existing systems cannot be made impenetrably secure. It is the very nature of the technology we use now – for health insurance, for banking, for voting – to send large amounts of critical data across unsecured networks for at least part of their journey. All we can do is encrypt, vet out employees, and – hope.