Healthcare.gov’s secret permanent enrollee database is a mega-hack waiting to happen

This week, the Associated Press reported that a little-known Healthcare.gov data warehouse plans to maintain the names, addresses, Social Security numbers, passport numbers, employment records, and financial accounts of millions of Obamacare customers on record “indefinitely.” What’s more, these records can be shared with other agencies like the Department of Defense (DOD) and Department of Homeland Security (DHS).

The data system, shortened from the unwieldy “Multidimensional Insurance Data Analytics System” to MIDAS, has raised eyebrows in privacy and security circles for violating one of the most basic data protection principles: only store data for as long as necessary.

But MIDAS’s inexplicable delay in developing appropriate data destruction policies gives us only a small glimpse into the Department of Health and Human Services’ (HHS) and the Center for Medicare and Medicaid Services’ (CMS) larger information security problems.

In fact, after digging into this story, I’ve found out that it is much, much worse than a tale about bad information management. MIDAS is a case study in government deception.

Federal officials routinely neglected to inform the public about the MIDAS program’s vast data extraction capabilities, deciding instead to emphasize how the smaller Obamacare “data hub” would not store information. By solely focusing on the data hub, officials mislead Americans to believe that the data risks with Healthcare.gov were much smaller than they truly are.

Officials were successful in their bid to sneak the immense MIDAS data program beyond the public’s notice. With little oversight and virtually no public discussion, the Healthcare.gov architects have exposed untold millions of Obamacare enrollees to major hacking risks.

Previous IT audits revealing a history of unaddressed security vulnerabilities suggest that these offices are unlikely to adequately manage the vast amounts of personal data stored for Healthcare.gov — and that a major external breach on the level of the OPM hack is a dangerous possibility.

Officials obfuscated Healthcare.gov data retention

Healthcare.gov’s many early missteps yielded swarms of emergency techies descending upon the Potomac to get that sucker up and running, 500 million lines of code, an over $2 billion roll out, and a humorous SNL opening sketch that probably still haunts Kathleen Sebelius’s worst nightmares.

But amid the ample talking-head fodder targeting the Obama administration’s humiliating failure to make his chief presidential accomplishment, you know, work, Healthcare.gov’s considerable data management role got lost in the shuffle.

The Obama administration was quick to promise Americans that its monumental health care reform platform would not pose data security problems for Americans. However, they were not exactly clear about how much personal data would be retained in the Healthcare.gov system.

Officials rarely talked about MIDAS data storage, preferring instead to discuss the coordinating “data hub” that merely verified information to determine applicant eligibility.

During a 2013 House hearing on the Obamacare health information sharing apparatus, Medicare administrator Marilyn Tavenner assured representatives that CMS would focus on “storing the minimum amount of personal data possible.” Furthermore, the “Federal Data Services Hub” that CMS was developing to validate information would “not retain or store information” but would only “query government databases used” at the time.

However, none of the administration’s representatives discussed the MIDAS system during this hearing, which had been secretly in the works at HHS since around 2011.

In fact, officials did not talk publicly about MIDAS very much at all. It wasn’t an elected official or appointed administrator who informed the public about this “central repository for health insurance coverage” — it was a senior executive at CACI, the private contractor awarded over $110 million to build out the system.

Documents now made public show that MIDAS was planned to perform significantly more intrusive data analysis on Healthcare.gov applicants than public statements suggested. A 2011 statement of work lists some of MIDAS’s intended functions:

• integrating voluntarily-inputted Healthcare.gov data into a single, web-based information store;
• providing federal agents with access to data reports, ad hoc queries, and visualization; and
• providing robust predictive analytic capabilities from Healthcare.gov data collected and maintained.

Healthcare.gov therefore presents far more concerning data privacy and security issues than officials’ benign statements led the public to believe.

MIDAS was implemented without a full privacy assessment

Transparency and oversight be damned, CMS and HHS plowed ahead with the expensive MIDAS implementation. But in their rush to get this hushed-up database online by the first enrollment period of October 2013, the Healthcare.gov architects cut a few privacy and security corners.

A Government Accountability Office (GAO) audit from September of 2014 warned that CMS had not even adequately analyzed MIDAS’s privacy risks despite operating the program for over a year. Without an honest assessment of MIDAS’s security vulnerabilities, GAO doubted CMS’s abilities to protect user data. A pretty good hunch.

CMS does not appear to have been too concerned by the GAO’s warnings. They didn’t issue their half-assed privacy impact analysis (PIA) until January of this year. Unfortunately, it offers more questions than answers.

Unanswered questions

We still don’t know exactly who will be able to access MIDAS data, how it will be secured, whose data will be stored, and for how long.

It is now clear that other federal agencies, such as DOD and DHS, will be able to access the MIDAS data as well.

But questions remain about exactly how many federal agents will be able to access these massive MIDAS datasets. The document simply states that users will only be able to access “the data and server resources needed to perform their job.”

CMS does spend a fair amount of time considering how they will ensure the accuracy of the MIDAS dataset, but has less to say about its security. One sentence is spared to explain that personnel will receive security training through “webinars and presentations,” which gives us an idea of the low priority CMS gives to data security.

Additionally, we don’t know how many Americans will be affected by MIDAS collection. The PIA vaguely reports that “1 million or more” users may have their data stored indefinitely — surely a low estimate, given the millions more Americans who have enrolled at Healthcare.gov, plus the unknown others who unwittingly volunteered their personal information for permanent storage by entering data into an abandoned application.

Will the health data of the people who enrolled in a state exchange also be hoovered up by the mighty MIDAS? The PIA suggests “yes,” but CMS officials have yet to clearly explain this to the public.

Finally, the document indeed states that “data in MIDAS is maintained indefinitely at this time,” as the AP reported.

Miraculously, after years of sleepy unconcern about the public’s hazy understanding of the MIDAS program, CMS has suddenly sprung into action to challenge the AP report. In an email to Fusion, a CMS representative claims that they plan to destroy this data after ten years.

But ten years is probably still way too long, and CMS has yet to explain why they chose this particular range of time —assuming that they even have a considered justification. At any rate, the office’s reactionary and vague response to a rare a bout of investigative journalism does not exactly inspire confidence in their claimed prioritization of privacy and security.

HHS: a track record of failure

That such a broad-sweeping program storing the health and financial data of millions of Americans was by and large navigated away from public discussion is concerning in itself.

But looking to HHS’s track record on its own information security reveals another bleak picture: the agency reports thousands of information breaches each year, consisting mostly of malware, personnel violations, physical breaches, and equipment and social engineering failures.

If nothing else, last week’s news of the massive hack of OPM databases containing sensitive personal, health, and financial data of over 14 million current and former federal employees, contractors, and their families, friends, and associates should be a teachable moment about the importance of good data hygiene. And honesty is always a good policy no matter the day’s dramas.

The brains behind Healthcare.gov apparently have yet to internalize this message. Their actions suggest a prioritization of expanded power over transparency and data security — a particularly dangerous combination to motivate such vast government information collection.