New details have surfaced about a data breach first reported on October 19 involving a healthcare.gov portal, which is currently said to affect as many as 75,000 consumers.
In a letter to affected parties this week, the Centers for Medicare and Medicaid Services (CMS) stated the sensitive data exposed may have included Social Security numbers and a variety of other personal information, such as income, tax filing status, family relationships, and immigration status.
No financial information was involved, CMS said. Nor did the exposed data include any diagnosis or treatment information.
The letter, which was posted by CMS online and first reported by TechCrunch, noted its release was not publicized by the agency. (Neither CMS, nor Seema Verma, the agency’s administrator, posted the information via social media.)
In mid-October, Gizmodo reported the breach impacted specifically the Direct Enrollment system, which Americans use to enroll in healthcare plans via the insurance exchange established under the Affordable Care Act. The affected portal is used by insurance agents and brokers to help Americans in the process of signing up for health coverage.
“We immediately shut off these agent and broker accounts, and also shut off the entire agent and broker function while changes were made to improve security,” CMS said.
It remains unclear whether any of the sensitive information left accessible was accessed or misused, the agency added. Nevertheless, the agency is currently offering any consumers involved access to free identify theft protection due to the inclusion of Social Security information.
A half-ass law passed earlier this year in response to last year’s Equifax breach, which unfortunately rolled back banking reforms passed in the wake of 2008 financial crisis, also gave Americans the ability to freeze their credit without charge if they suspect their identities are at risk.
TechCrunch also reported that the breach included information about children and, citing a person familiar with the ongoing investigation, said the total number of affected customers is expected to change.