Could HealthCare.gov's data warehouse be the target of the next big breach?: 5 things to know

Although the Obama administration has declared MIDAS, a central data repository for information collected under the administration's healthcare laws, as having met federal standards for privacy and security, a Monday announcement raises some concern about MIDAS' vulnerability following the large government breach of personal employee records earlier this month. 

The Multidimensional Insurance Data Analytics System, or MIDAS, is a government data warehouse that stores the information of both citizens who seek coverage through the Patient Protection and Affordable Care Act using HealthCare.gov and those who simply open an account, according to an Associated Press report. A government privacy assessment notes that the system contains user information including names, Social Security numbers, addresses, phone numbers, financial accounts, employment status and passport numbers.

Concerns about MIDAS’vulnerability range from the indefinite time frame it maintains data to questions about who has access to the information. While spokesman Aaron Albright has said that MIDAS is a critical piece of the healthcare marketplace ecosystem, Michelle De Mooy, deputy director for consumer privacy at the Center for Democracy & Technology, has stated that consumers have no way of knowing that their data is being routed to MIDAS —it is not mentioned on the HealthCare.gov website.

Here are five things to know about MIDAS.

  • A January 2015 government privacy assessment stated that data collected and stored as part of MIDAS will be maintained indefinitely. In Monday's statement, the administration stated that indeed, no final time frame has been decided and the National Archives has recommended a 10-year retention period for the data.
  • MIDAS is owned by CMS and operated by a major government technology contractor, CACI
  • The administration says MIDAS is hosted in a secure data center. The administration also says a limited number of government and contractor employees have regular access, and that is monitored and tracked, but officials won't say how many people have access.
  • The administration launched MIDAS without a complete privacy assessment, according to a Government Accountability Office report that stated the system went live without an examination of privacy risks. The risk examination was completed after the launch.
  • The administration has said that MIDAS contains the personal information of about 1 million individuals, however this number is likely much higher considering that the system retains the information of eligible Medicaid recipients, former customers and those who started applications but did not finish them.

More articles on security: 

White House launches "30-day Cybersecurity Sprint"
Feds hit with second cyberattack compromising PHI for millions

Copyright © 2024 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.

 

Featured Whitepapers

Featured Webinars