The Department of Health and Human Services’ Center for Medicare and Medicaid Services (CMS) reported a data breach of its HealthCare.gov site, with the attacker accessing the files of about 75,000 people, the agency said in a statement released Friday.
The attacker used the Federally Facilitated Exchanges Direct Enrollment pathway for agents and brokers to access consumer records. CMS detected the activity on October 13, declared it a breach on October 16, and then disabled the pathway for agents and brokers. CMS also disabled the accounts of the affected agents.
“CMS followed standard and appropriate security and risk protocols for researching and reporting the incident. Upon verification of the breach, CMS took immediate steps to secure the system and consumer information, further investigate the incident, and subsequently notify Federal law enforcement,” the agency said in a statement.
CMS assured that other enrollment channels remain operational and were not impacted by the breach.
“I want to make clear to the public that HealthCare.gov and the Marketplace Call Center are still available, and open enrollment will not be negatively impacted. We are working to identify the individuals potentially impacted as quickly as possible so that we can notify them and provide resources such as credit protection,” said Seema Verma, CMS administrator.
The breach has already attracted attention from Capitol Hill. Sen. Ron Johnson, R-Wisc., sent a letter to HHS Secretary Alex Azar and CIO Ed Simcox on Saturday requesting more information and a briefing for staff of the Senate Homeland Security and Governmental Affairs Committee that Sen. Johnson chairs.