Early last week, the Centers for Medicare & Medicaid Services (CMS) announced some suspicious activity in the Federally Facilitated Exchanges (FFE), an agent and broker exchanges portal.
On October 13, 2018, a CMS staffer noticed the anomalous activity that resulted in the agency declaring a breach on October 16. An unauthorized user reportedly accessed the files of approximately 75,000 individuals. Since learning of the unauthorized activity, the agent and broker accounts in question have been deactivated, according to an October 19 press release.
“Our number-one priority is the safety and security of the Americans we serve. We will continue to work around the clock to help those potentially impacted and ensure the protection of consumer information,” said CMS administrator Seema Verma in the press release.
“I want to make clear to the public that HealthCare.gov and the Marketplace Call Center are still available, and open enrollment will not be negatively impacted. We are working to identify the individuals potentially impacted as quickly as possible so that we can notify them and provide resources such as credit protection.”
The breach reinforces the need for both private and public insurers to adopt the National Association of Insurance Commissioners (NAIC) Insurance Data Security Model Law published in late 2017, according to Michael Magrath, director, global regulations and standards, OneSpan Inc.
The NAIC’s Model Law doesn’t go into effect until January 1, 2019, but South Carolina was the first state to become an FFE state in May 2018 when it adopted the law with the South Carolina Insurance Data Security Act.
“Although written for states to adopt, there is nothing prohibiting the federal government from mandating tighter cybersecurity controls in its own programs, especially when it comes to protecting sensitive personally identifiable information (PII) such as health insurance information,” Magrath said.
"A key provision of the regulation is the use of multifactor authentication to protect against unauthorized access to nonpublic information or information systems, with 'nonpublic information' being the individual’s private information," he said.