The breach exposed the personal information of 56,415 users. Few people signed up for protection.
The builders of the Affordable Care Act health insurance exchange system wondered whether agents and brokers would play a role in the health insurance market.
Now, the administrators of the ACA public exchange in the District of Columbia are relying on brokers to convince more users to protect themselves from the effects of the latest data breach.
Discovered on March 6th and announced on March 8th, the breach exposed the personal information of approximately 56,415 exchange users, including 17 members of parliament. The data thief posted at least two batches of his data on the identity market, including at least some users’ social security numbers and his email address.
Mila Kofman, executive director of the DC Health Benefit Exchange Authority, the body responsible for the DC Health Link exchange, said Wednesday that the exchange hopes to help brokers and business organizations attract the attention of exchange users. and warns that thieves may have it. She sold social security numbers and other personal data, and persuaded people to sign up for free credit bureau identity theft prevention services.
“We gave two briefings for brokers,” Coffman said at a breach hearing hosted by the House Subcommittee on Oversight and Cybersecurity and the House Subcommittee on Administrative Oversight. 92% of them have a broker and we have asked them to notify their customers of this breach.”
Not only do financial services organizations need to help consumers plan for the future and protect themselves from the risks of mortality, morbidity and longevity, spoofers also need information about their home addresses and social security numbers. You need to get people’s attention when you’re putting it up for sale. In “Dark Web”.
In the long run, the hack itself is as much of a concern for retirement planners in the District of Columbia as it is for health insurance brokers, as criminals may attempt to set up investment accounts under false names using purchased DC Health Link data. may be They can even steal cell phones from specific homes and combine cell phones with social security numbers to try to hijack client bank accounts, mutual funds, pensions, life insurance, or other financial services accounts and assets.
DC health link
Congress included the ACA public exchange system in the Affordable Care Act, a package of two laws passed in 2010. The District of Columbia and individual states operate local ACA exchanges in some jurisdictions, and Medicare and Medicaid Service Centers operate federal programs. HealthCare.gov, for jurisdictions unable or unwilling to run their own exchange program.
Congress attempted to show solidarity with other exchange users by requiring members of Congress and some congressional aides to obtain their own health insurance through the exchange system. Due to this regulation, many MPs and other exchange users are insured through DC Health Link.
In March, the exchange had 14,547 individual insurance subscribers and 86,482 subscribers in 5,324 group plans, according to enrollment summaries contained in the exchange board meeting document packet.
Kofman said DC Health Link faces an average of 2,000 malicious attacks per day and has a cybersecurity program that includes technology from the types of providers used by the U.S. military and intelligence agencies. said in her hearing testimony.
The breach appears to be related to a reporting system configuration error that has been occurring since 2018, Kofman said at the hearing.
Although the breach impacted the reporting system rather than the main registration system, some registrant records within the report contained various data fields.
In addition to registrant name, social security number, and home address fields, the system includes date of birth, gender, health insurance provider, coverage date, employer name, race, ethnicity, and citizenship status data. field was included.
Credit bureau monitoring offers
DC Health Link begins notifying the FBI and other relevant agencies within minutes of discovering a breach, sending emails, displaying a special data breach page and warning pop-up notifications to reduce impact. We have notified users who may have received it. That website, Coffman said.
Eleanor Norton, who represents the District of Columbia in the House of Representatives, noted that breach notification email open rates range from 22% to 32%.
“Thus, in theory, many individuals affected by a breach are unaware that their data has been stolen,” Norton said.
Norton asked Kofman if DC Health Link considered using text notifications, phone calls, or paper emails to inform users of the breach.
“We are looking at all available options,” Kofman said.
Kofman told Norton that the exchange uses the utilization rate of its identity theft prevention service as a measure of the effectiveness of its notification efforts.
According to Coffman, about 19.1% of notified users use the Experian credit bureau’s anti-theft tracking. This compares with the typical utilization rate of her Experian identity theft tracking service, which is about 4% for the average data breach victim, she added.
“Obviously, we want to make this protection available to anyone whose information has been stolen,” Kofman said.