David Kennedy is a cybersecurity expert who runs a computer security firm called TrustedSec, LLC. He is in the news because of his expert testimony to Congressional committees on the security of healthcare.gov, the website to which people go to apply for ObamaCare health insurance if they are in a state with a federal health-insurance exchange.
Kennedy’s basic message is that there is no effective security of personal data that is submitted to healthcare.gov. He is a so-called “white-hat” hacker: Companies hire him to hack into their computers and then tell them how to fix the entry points he discovers. One can reasonably expect that he knows what he is talking about.
Some in the media resist his warnings. Media Matters, for example, insists that we are to believe the claims of the website’s own cybersecurity expert ― a government employee ― that everything is hunky-dory.
Between November 27 and December 15, the supermarket Target suffered a breach that allowed hackers access to online customers’ credit-card and shopping data. The company immediately announced the problem, and is taking steps to address the consequences. It has a specific website that explains what it is doing to respond to the breach and future threats.
As a private company, Target cannot afford to irritate its customers. The federal government faces no such constraint. Last December, the Government Accountability Office (GAO) published a report titled Agency Responses to Breaches of Personally Identifiable Information Need to Be More Consistent.
The report is an eye-opener. Between 2009 and 2012, the number of reported data breaches (affecting personally identifiable data) almost doubled from about eleven thousand to about twenty-two thousand.
The Center for Medicare & Medicaid Services (CMS), which now runs ObamaCare was one of the agencies examined by the GAO. CMS did not assess the likely risk of harm and level of impact of a suspected data breach in order to determine whether notification to affected individuals is needed. Further, according to GAO, “CMS did not document a risk level for 56 of the 58 incidents we reviewed” during the period.
That is: CMS did not bother to even assess the risk of exposing personally identifiable data for 97 percent of security breaches it experienced. And it does not (cannot) notify possibly affected individuals.
And the period examined finished almost two years before healthcare.gov opened for business. Last October, CMS began enrolling people at healthcare.gov. Millions have already surrendered personal data to the website.
How many have had their personal data compromised? We don’t even know when they will know.