The health insurance marketplaces created by the Affordable Care Act will allow Americans to compare participating health plans side-by-side. In order to calculate the subsidy–adjusted premiums for the insurance plans and determine their out-of-pocket costs, these marketplaces (also known as “exchanges”) will require personal information from health insurance shoppers. The personal information will include social security number, income, date of birth, home address, and whether the individual has any physical, mental, or emotional health conditions that limit activities of daily life.1 Given the highly sensitive nature of this information, its safety from misuse by hackers as well as by personnel associated with the exchange is a matter of considerable importance. Not only will multiple software systems store and transmit this data but thousands2 of exchange-related personnel (such as call center staff and third parties such as “navigators” and “web-based entities”3) will have access to portions of the information when facilitating enrollments or determining subsidy eligibility.
HealthPocket conducted two nationwide polls independently to explore the public’s confidence in the protection of personal information collected by the new health insurance exchanges. Specifically, HealthPocket ran one survey that explored Americans’ trust in data security for personal information on Obamacare exchanges and the second survey explored Americans’ certainty in the exchanges’ protection of personal information from misuse by government agencies.
When asked "Are you confident personal information requested within Obamacare insurance marketplaces will be safe from hacking and other misuse?" the majority (57%) of Americans surveyed answered “No.” Surprisingly, Americans’ concern over the misuse of personal data by government agencies was just as prevalent as their concerns over hacking-related data breaches. 53% of survey respondents answered “No” in response to the question "Are you confident personal info requested within Obamacare insurance marketplaces will be treated as private and not inappropriately shared with other government agencies?" Given that the privacy question was asked in an independent survey from the data security survey, the similar levels of doubt regarding exchange privacy protection and data security was striking.
Another unexpected finding of the two surveys was that approximately one-out-of-four Americans are unaware that the exchanges require personal information from the health insurance shoppers who will use them. Those people selecting this answer may have been unaware of the income ceiling and other criteria upon which premium subsidies and cost-sharing reductions will be based.
It is unclear whether recent health insurance exchange news has affected public perspective. In late summer, the inspector general for Health & Human Services expressed concerns about the security testing of the federal data hub supporting the exchanges.4 The Centers for Medicare & Medicaid Services (CMS) subsequently announced that the federal data hub was successfully certified for IT security on September 6, 2013, though the office of inspector general had not independently confirmed this claim at the time of announcement.5
Public perspective may have also been affected by a recent personal information security breach at the Minnesota health insurance exchange, MNsure, which occurred prior to the beginning of Obamacare’s open enrollment period. The breach of personal information was not due to a technical vulnerability but, rather, human error on the part of staff. An employee emailed the names and social security numbers for more than 2,000 insurance agents to an individual not authorized to see this information.6 The information itself was emailed as an unencrypted file, creating an additional security liability over and above the unauthorized recipient.7
To address some of the public’s concerns about security, CMS has released a fact sheet summarizing various security measures implemented on the federal data hub supporting the exchanges.8 Additionally, on September 18th the government began an initiative to reassure the public regarding data security and privacy on the new health insurance exchanges.9 The initiative will include a public education campaign to help people avoid scam artists capitalizing on confusion about the Affordable Care Act as well as a toll-free number to report attempted identity theft and fraud.10 The outstanding question is whether these efforts will be sufficient to make data security and privacy fears a minority opinion instead of a majority one. The advantage for the government is that there is already precedent regarding successful data security and privacy protection for analogous personal information within the Medicare program.
Results are based on the results of two separate nationwide surveys conducted from September 16th through September 19th 2013. The first survey asked 964 adults across the United States "Are you confident personal info requested within Obamacare insurance marketplaces will be treated as private and not inappropriately shared with other government agencies?" Survey respondents had the option of selecting one of the following answers: “Yes,” "No," and "I wasn't aware personal info was required." Answers were displayed in a fixed order. A second separate survey was conducted independently of the first survey. The second survey asked 938 adults across the United States "Are you confident personal information requested within Obamacare insurance marketplaces will be safe from hacking and other misuse?" Survey respondents had the option of selecting one of the following answers: “Yes,” "No," and "I wasn't aware personal info was required." Answers were displayed in a fixed order. The two surveys were displayed within a network of over 100 different news web sites and other content sites. Demographic inferencing and methodology to acquire survey respondents who approximate national statistics on age, gender, income, and region was performed by Google-administered technology. Race, education, and health insurance status were not examined. Margin of error across the first survey is estimated at +3.5/-3.5. Margin of error across the first survey is estimated at +3.5/-3.6.
This study was completed by Kev Coleman, Head of Research & Data at HealthPocket.com. Correspondence regarding this study can be directed to Mr. Coleman at email@example.com.
Feedback and questions are welcome but, given the volume of email, personal responses may not be feasible.
1 The model application form for individuals can be reviewed at http://www.cms.gov/CCIIO/Resources/Forms-Reports-and-Other-Resources/Downloads/marketplace-app-short-form.pdf. The model application form for families can be reviewed at http://www.cms.gov/CCIIO/Resources/Forms-Reports-and-Other-Resources/Downloads/marketplace-app-standard.pdf. Last accessed September 21, 2013.
2 Sharon Begley. "Insight - It takes an army: Tens of thousands of workers roll out Obamacare" Reuters. June 21, 2013. http://www.reuters.com/article/2013/06/21/us-usa-healthcare-hiring-insight-idUSBRE95K06A20130621. Last accessed September 21, 2013.
3 Dan Mangan. "Insurance exchange deal signed with Web insurer sites" CNBC. July 31, 2013. http://www.cnbc.com/id/100925732. Last accessed September 21, 2013.
4 Gloria L. Jarmon. "OBSERVATIONS NOTED DURING THE OIG REVIEW OF CMS’S IMPLEMENTATION OF THE HEALTH INSURANCE EXCHANGE—DATA SERVICES HUB" Department of Health and Human Services. Office of Inspector General. August 2013. https://oig.hhs.gov/oas/reports/region1/181330070.pdf. Last accessed September 21, 2013. Page 4 of the report noted "Because the documents were still drafts, we could not assess CMS’s efforts to identify security controls and system risks for the Hub and implement safeguards and controls to mitigate identified risks. According to CMS’s current timeline, the security authorization decision by the authorizing official, the CMS Chief Information Officer (CIO), is expected on September 30, 2013; the March 2013 schedule reported the date as September 4, 2013. If there are additional delays in completing the security authorization package, the CMS CIO may not have a full assessment of system risks and security controls needed for the security authorization decision by the initial opening enrollment period expected to begin on October 1, 2013."
5 Caroline Humer and Lewis Krauskopf. "Federal data system for Obamacare exchanges gets security OK." Reuters. September 11, 2013. http://www.reuters.com/article/2013/09/11/us-usa-healthcare-security-idUSBRE98A0XT20130911. Last accessed September 21, 2013.
6 Jackie Crosby. "Errant e-mail creates security breach at MNsure." StarTribune [Minneapolis]. September 13, 2013. www.startribune.com/business/223564521.html. Last accessed September 21, 2013.
8 http://www.healthreformgps.org/wp-content/uploads/cmd-hub-security-fact-sheet-9-11.pdf. Last accessed September 21, 2013.
9 Jess J. Holland and Kelli Kennedy. "New Health Care Law Expected to Spawn Scam Artists" Associated Press. September 18, 2013. http://bigstory.ap.org/article/white-house-pushing-health-care-security-measures. Last accessed September 21, 2013.
HealthPocket is a free information source designed to help consumers find medical coverage. Whether you are looking for Medicare, Medicaid or an individual health insurance plan, we will help you find the right healthcare option and save on your out of pocket healthcare costs. We receive our data from government, non-profit and private sources, and you should confirm key provisions of your coverage with your selected health plan. If you select a plan presented on our site, you will be directed (via a click or a call) to one of our partners who can help you with your application. Our website is not a health insurance agency and not affiliated with and does not represent or endorse any health plan. HealthPocket, Inc. is a wholly owned subsidiary of Health Plan Intermediaries Holdings LLC (NASDAQ: HIIQ)