By Randall Friedland

According to a GAO report published September 16th,, the health insurance exchange rolled out last October, still has significant privacy weaknesses. Specifically, the report outlined that despite the Centers for Medicare & Medicaid Services’ (CMS) efforts to increase the security and privacy of data that it processes, maintains, and shares with both federal and commercial partners in an effort to support, “weaknesses remain both in the processes used for managing information security and privacy as well as the technical implementation of IT security controls.”

The report maintains that, “[u]ntil [CMS] addresses shortcomings in both the technical security controls and its information security program, CMS is exposing data and its supporting systems to significant risks of unauthorized access, use, disclosure, modification, and disruption.”

The report included several recommendations that the Secretary of Health and Human Services should direct the Administrator of CMS to implement, including:

1. Ensuring that the Federally Facilitated Marketplace (FFM) system security plans include all the information that the National Institute of Standards and Technology recommends, including plans that identify the individual responsible for the control and security of the system.

2. Ensuring “that all privacy risks are analyzed and documented in their privacy impact assessments.”

3. Performing “a comprehensive security assessment of the FFM, including the infrastructure, platform and all deployed software elements.”

4. Establishing “detailed security roles and responsibilities for contractors, including participation in security controls reviews, to better ensure that communications between individuals and entities with responsibility for the security of the FFM and its supporting infrastructure are effective.”

Lawmakers have expressed concern over the details of the report considering that collects personally identifiable information, such as Social Security numbers, employment and wage information, and personal addresses of several million individuals. In a letter to Marilyn Tavenner, Administrator of CMS, Republican leaders in both the House and Senate expressed their dismay over the ongoing security vulnerabilities and requested that the Obama Administration provide details on whether the website’s security has been tested prior to the upcoming open enrollment period. Additionally, the letter also asked for the Obama Administration to provide information about any incident where the security of had been compromised and for an assurance that the website complies with all federal laws that protect personal information, including the Privacy Act of 1974.