On Tuesday, a House subcommittee heard testimony from public- and private-sector stakeholders following reports that found HealthCare.gov was sharing certain consumer data with third-party companies, The Hill reports (Bennett, The Hill, 1/27).
Last week, technology experts analyzing HealthCare.gov noted connections between the site and several third-party technology companies, prompting concerns about privacy. The investigation found that dozens of data companies might be able to determine when a user is on HealthCare.gov. Further, according to the investigation, some companies might be able to piece together a user’s age, income, ZIP code and medical information.
HHS over the weekend added another encryption layer to the site to help reduce the amount of data that is shared with other companies. The changes will decrease the amount of information that is available to third parties for consumers using HealthCare.gov’s window-shopping feature (iHealthBeat, 1/26).
During the House Subcommittee on Research and Technology hearing, Rep. Dan Newhouse (R-Wash.) said third-party vendors “sell that information to any number of people” and questioned “whether that makes the whole website more vulnerable.”
Newhouse asked Charles Romine, director of the National Institute of Standards and Technology’s Information Technology Laboratory, whether “the NIST cyber framework contemplate[s] that a federal agency would be certified, then allow scores of data mining shops” to exist on HealthCare.gov.
Romine said he would not comment on “the specific issues in this case,” adding that NIST’s cyber frameworks calls on organizations to “ensure that privacy considerations are taken into account” when determining cybersecurity risks.
Meanwhile, Cheri McGuire, vice president of global government affairs and cybersecurity policy at Symantec, said that while she could not “speak to the specifics” of HealthCare.gov, she did “find it surprising that there are that many additive websites or technologies that are able to access the data.” She added that allowing many third-party vendors to access a network “would provide some additional vulnerabilities.”
Separately, Rep. Dan Lipinski (D-Ill.) said, “My understanding is companies are not actually perched on Healthcare.gov. They’re being given data from there. That’s very different.” He added that while he was not intending to “suggest that everything is wonderful with HealthCare.gov,” the data-sharing situation was “a whole different issue” than other reported website problems (The Hill, 1/27).