Lawmakers grill officials on Healthcare.gov data

Lawmakers pressed officials about consumer data on Healthcare.gov being shared with outside companies during a Tuesday House hearing.

The hearing comes after revelations last week that the federal ObamaCare exchange was giving sensitive information about enrollees — including age, income, smoking habits and computer IP address — to private companies for advertising and data analysis purposes. The discovery spurred a new round of privacy concerns about the much-maligned website.


Lawmakers on the House Subcommittee on Research and Technology heard from top government cybersecurity research officials and private sector tech and security executives.

“They sell that information to any number of people,” said Rep. Dan Newhouse (R-Wash.), wondering “whether that makes the website more vulnerable.”

Newhouse grilled an official from the National Institute of Standards and Technology (NIST), the government standards-setting agency, about the issue.

In 2013, President Obama directed NIST to develop a cybersecurity framework to help the private sector and government regulators assess cyber risks.

“Does the NIST cyber framework contemplate that a federal agency would be certified, then allow scores of data mining shops” to sit on Healthcare.gov? Newhouse asked.

Charles Romine, who directs NIST’s Information Technology Laboratory, declined to comment on “the specific issues in this case.” He did note the cyber framework directs organizations to “ensure that privacy considerations are taken into account” when assessing cybersecurity risks.

Cybersecurity experts also raised concerns about the scope of the data sharing.

“I do find it surprising that there are that many additive websites or technologies that are able to access the data,” said Cheri McGuire, vice president of global government affairs and cybersecurity policy at security firm Symantec.  

While McGuire couldn’t “speak to the specifics,” she added that opening up a network to outsiders “would provide some additional vulnerabilities.”

Shortly after the practice was reported, two Republican senators told the administration it had violated the privacy of millions of Americans. A few days later, the administration added extra layers of encryption to the site, which cut back the amount of information that could flow to outside companies.

“My understanding is companies are not actually perched on Healthcare.gov,” said Rep. Dan Lipinski (D-Ill.), the subcommittee’s ranking member, in response to Newhouse’s comments. “They’re being given data from there. That’s very different.”

Healthcare.gov has had repeated technical challenges and privacy issues since it’s launch in October 2013.

Lipinski cautioned that he didn’t want to “suggest that everything is wonderful with Healthcare.gov and especially the D.C. website, which was completely atrocious once again for the second year in a row.”

But the recent discovery about sharing Healthcare.gov data with outside companies is “a whole different issue,” Lipinski said.

Still, it’s still an issue Congress can and should look into, he told The Hill after the hearing.

“I always have privacy concerns,” he said.