Black Files Legislation to Require Feds Notify Consumers if Data Breached on Healthcare.gov

Press release from U.S. Rep. Diane Black, R-Tenn. 06; January 27, 2015:

Washington, D.C. – Today Congressman Diane Black (R-TN-06) and Congressman Patrick Meehan (R-PA-07) led a letter to Department of Health and Human Services (HHS) Secretary Sylvia Mathews Burwell and Centers for Medicare and Medicaid Services (CMS) Administrator Marilyn Tavenner demanding information on the Obama Administration’s practice of sharing consumers’ private information through Healthcare.gov. You can read a copy of the letter here. Reps. Black and Meehan also introduced the Federal Exchange Data Breach Notification Act of 2015. This legislation would simply require the government to notify consumers if their personal information is breached on the Healthcare.gov exchanges. Currently there is no such requirement under federal law – despite similar standards being in place for the private sector and state-run exchanges.

The Associated Press reported last week that numerous third-party vendors were given access to consumers’ personal data – including age, income, zip code, and smoking and pregnancy status – through Healthcare.gov. Rep. Black immediately responded to the report, citing “inherent security flaws” in the Healthcare.gov website and calling for data-breach notification legislation to protect users’ personal information when accessing the federal healthcare exchanges. Last Friday, the Obama Administration announced that it would “scale back” data sharing on Healthcare.gov, however it is still unclear what information will continue to be transmitted and what is done with information that was already collected.

As Reps. Black and Meehan point out in their letter to HHS and CMS, the Obama Administration’s practice of disseminating users’ personal information directly contradicts Healthcare.gov’s own privacy policy which states, “No personally identifiable information is collected.” Reps. Black and Meehan released the following statements on their letter and newly introduced legislation:

“I have warned for over a year now of security and privacy concerns under Healthcare.gov. Sadly, from the website’s hacking last summer, to these latest revelations of data-sharing without users’ knowledge or consent, the Obama Administration continues to show that our concerns are well-founded and that Americans’ personal information on this site remains at risk,” said Congressman Diane Black. “Americans deserve the highest standards of privacy and confidentiality when enrolling in health insurance, and they certainly shouldn’t be left holding the bag for this Administration’s failure to maintain a secure website. That is why my letter to the Administration demands answers on Healthcare.gov’s privacy and security standards and seeks information on what data was collected by Healthcare.gov, how long it was stored, and in what way it was secured.”

Congressman Black added, “In light of the Obama Administration’s latest failing, I am proud to reintroduce the Federal Exchange Data Breach Notification Act of 2015. This commonsense legislation will simply require the government to notify affected consumers if their personal information is compromised on Healthcare.gov. It defies all logic that this basic requirement is not already law. I was pleased to carry this legislation in the last Congress and will fight once again for its passage so that Americans can take action to protect themselves in the event of an Obamacare security breach.”

“It is unacceptable that security and privacy failures keep happening with Healthcare.gov,”said Congressman Patrick Meehan. “No American should have to fear their data will be exploited or compromised through HealthCare.gov. The data on the exchanges is among families’ most private, and it should not be shared without a user’s consent. The legislation we have introduced today will ensure that the feds live up to their obligation to disclose data breaches on the federal exchange and come clean with consumers.”

Resources: