U.S. Rep. Greg Walden (R-Ore.) released a message on House passage of the Health Exchange Security and Transparency Act (H.R. 3811), a bill of which he is an original co-sponsor.
A transcript of his remarks is below:
“Whether you support the Affordable Care Act or you oppose Obamacare, the federal government should have to tell you if somebody has stolen your personal information from the health care exchange. That’s what happens in the private sector: when the data is compromised, the companies have to tell you if your data is compromised.
“The same should apply to Washington. It should apply to the health care exchange. The government should have to tell us if our personal information is stolen. That’s what this legislation does.
“And it’s important because in our oversight hearings on the Energy and Commerce Committee, we determined that the end to end security checks had not been done on the Obamacare website exchange. They haven’t even finished writing all the code. As a result, outside groups have said one of the greatest vulnerabilities for personal data breaches for this year is actually out of the Obamacare exchanges.
“So it’s important to pass this legislation—of which I’m an original co-sponsor—to make sure you are notified by the federal government immediately if your data are stolen.”
The bill requires the Department of Health and Human Services to notify individuals if their personal information has been stolen or unlawfully accessed through an Obamacare exchange within two business days after discovery by the Secretary.
Walden and his colleagues on the Energy and Commerce Committee have uncovered facts that raise serious concerns about the security of the law’s exchanges. During an October hearing, contractors who built the federal health exchange admitted to Walden that a full end to end test of the site hadn’t been completed before launch.
The Chief Information Security Officer for the Centers for Medicare and Medicaid Services, Teresa Fryer, wrote in a draft memo that the federal exchange “does not reasonably meet … security requirements” and that “there is also no confidence that Personal Identifiable Information (PII) will be protected.”
Questions have also been raised about the security of personal information on the state’s exchange, Cover Oregon.
