To: House Republicans
From: Eric Cantor
Date: January 2, 2014
Re: Legislation on Data Breaches and Obamacare
Two weeks ago, millions of Americans learned from the press that hackers may have gained access to their personal financial information as a result of a data breach at Target.
While the Target breach has received well-deserved attention, another report last week also deserves attention. Experian, the credit report bureau which also has a division that works on data breaches, released a report that stated, "The healthcare industry, by far, will be the most susceptible to publicly disclosed and widely scrutinized data breaches in 2014."
The author of the Experian report was interviewed by "Information Week" which reported: (http://www.informationweek.com/healthcare/policy-and-regulation/healthcare-data-breaches-to-surge-in-2014/d/d-id/1113259)
[The author of the study] said he is basing this prediction at least partly on reports of security risks posted by the HealthCare.gov website and the health insurance exchanges established by various states. The web infrastructure to support health insurance reform was "put together too quickly and haphazardly." The most glaring problem for these sites has been their inability to keep up with consumer demand. The organizational infrastructure behind the implementation of Obamacare is also complex, meaning that many parties have access to the personal data and could misuse or mishandle it. "So we have volume issues, security issues, multiple data handling points -- all generally not good things for protecting protected health information and personal identity information."
Four separate House Committees (Science, Homeland Security, Energy & Commerce, and Oversight & Government Reform) have also documented the risks of data breach in the online exchanges operated by the Obama Administration.
“Cyber Side-Effects: How Secure is the Personal Information Entered into the Flawed Healthcare.gov?” Hearing 11/13, Homeland Security.
“Is My Data on Healthcare.gov Secure?” Hearing 11/19, Science.
“Security of Healthcare.gov.” Hearing 11/19, Energy and Commerce.
Oversight and Government Reform Release 12/20: CMS Officials Launched HealthCare.gov Against Warning of Agency’s Top Cybersecurity Official
To date, the Administration has downplayed the risk of a data breach, perhaps in part because their primary goal is signing people up for insurance through the Exchange. Regardless, if there is a breach Americans shouldn't have to wonder whether or not they will receive prompt notification so that they may act to protect their personal identity and finances. That is why the Administration's position on data breaches, published by CMS in their Exchange Program Integrity Rule in August, is so troubling:
“Finally, in response to the comment requesting consumer notification when a security breach occurs, we note that the FFE’s [Federally Facilitated Exchanges] incident handling procedures will require CMS to determine whether a risk of harm exists and if individuals need to be notified.” (emphasis added)
If a breach occurs, it shouldn't be up to some bureaucrat to decide when or even whether to inform an individual that their personal information has been accessed. Several of our colleagues, including Diane Black, Kerry Bentivolio, and Gus Bilirakis have introduced legislation to strengthen security requirements as well as require prompt notification in the event of a breach involving personal information. It is my intent to schedule legislation on this topic when we return next week. And in the coming weeks, we will continue to address other areas where greater transparency is demanded, including the disclosure of reliable and complete enrollment data. These steps will be part of the overall effort to protect the American people from the harmful effects of Obamacare by ultimately repealing and replacing the law with patient focused reforms that expand access, ensure quality care, and help control costs.
American families have enough to worry about as we enter the new year without having to wonder if they can trust the government to inform them when their personal information -- entered into a government mandated website -- has been compromised.