CMS Reports Data Breach in ACA Agent and Broker Portal

CMS officials have reported a data breach in the portal for the part of the marketplace exchange used by agents and brokers who help consumers sign up for health insurance. The activity affected about 75,000 individual files, and the portal has been disabled as officials investigate what happened.

The breach comes as CMS hopes to expand the role of the agents and brokers in helping consumers sign up for coverage under the Affordable Care Act (ACA). Putting more emphasis on these professionals allows the administration to reduce what it plans to spend on consumer groups to act as navigators. The budget for that program has shrunk from $63 million at its peak to just $10 million, as the Trump administration said navigators were not enrolling enough people and the effort was not cost-effective.

CMS announced the breach late Friday, and officials said it was first detected October 13, with the breach declared October 16. “Our number one priority is the safety and security of the Americans we serve. We will continue to work around the clock to help those potentially impacted and ensure the protection of consumer information,” said CMS Administrator Seema Verma in a statement. “I want to make clear to the public that HealthCare.gov and the Marketplace Call Center are still available, and open enrollment will not be negatively impacted.”

“We are working to identify the individuals potentially impacted as quickly as possible so that we can notify them and provide resources such as credit protection,” Verma said.

CMS described the incident as an “evolving situation” and said it would provide additional updates. Federal law enforcement agencies are working on the matter, and the agency said it hoped to have the portal working within the next 7 days. The portal is not accessible to the general public.

Healthcare data breaches have become increasingly common in recent years, as reliance on technology increases and the value of a person’s health record rises relative to credit or banking information. In May 2017, a cyberattack involving the bug “WannaCry” hit health systems around the globe, affecting Great Britain’s National Health System and forcing others to pay a ransom or fee to access their own systems.

Under the ACA, consumers hoping to qualify for income-based subsidies to pay for health coverage must provide extensive personal information, including their Social Security numbers, their income, and information about their citizenship or legal immigration status.

Open enrollment for coverage under the ACA is scheduled to begin November 1.