Since before Obamacare's health insurance exchanges went online, there have been worries about the safety and security of personal data collected by the system. But despite hearings and government watchdog reports saying that necessary security precautions weren't taken, the Obama administration has always assured the public that their data is perfectly secure.
"There's no higher priority than protecting consumer information and maintaining trust for the consumers," Andy Slavitt, who is slated to take over the top post at the Centers for Medicare & Medicaid Services later this year, told Politico last November.
Turns out we didn't need to worry about hackers breaking into the government's data troves. The government has been secretly sending out sensitive personal data, including age, zip code, and income information, to private advertising and marketing companies, according to a worrying report this evening from the Associated Press:
The scope of what is disclosed or how it might be used was not immediately clear, but it can include age, income, ZIP code, whether a person smokes, and if a person is pregnant. It can include a computer's Internet address, which can identify a person's name or address when combined with other information collected by sophisticated online marketing or advertising firms.
The Obama administration says HealthCare.gov's connections to data firms were intended to help improve the consumer experience. Officials said outside firms are barred from using the data to further their own business interests.
There is no evidence that personal information has been misused. But connections to dozens of third-party tech firms were documented by technology experts who analyzed HealthCare.gov and then confirmed by AP. A handful of the companies were also collecting highly specific information. That combination is raising concerns.
There are two big problems here. The first is disclosure. This is being done without the knowledge of most users. And while HealthCare.gov explicitly insists that "no personally identifiable information" is collected on users, the sort of details that it sends out to marketing firms could help advertisers pin down individual identities or personal health information.
The other problem is the security of the data once it's sent elsewhere. Even if the government were taking all the necessary precautions in its own handling of sensitive, personal electronic information—and thanks to the Government Accountability Office we know that it isn't—there's no guarantee that outside marketing analysts will take the same precautions.
As the AP notes, "The administration did not explain how it ensures that companies were following the government's privacy and security policies." Presumably if security requirements were in place they would be able to say what they are.
And there are a lot of third parties involved. According to the AP report, there are at least 50 of what it calls "third-party connections" on HealthCare.gov, the federally run Obamacare exchange portal. The connections were caught by a security consultant, and in a test, the AP confirmed that the federal website was sending out information.
At minimum, the Obama administration's handling of the website security and privacy is sloppy and poorly thought out. Possibly it is dangerous and actively misleading. It's not much of a surprise, given the administration's lacklustre management of the exchanges so far, but even still, it's unsettling. And it's further evidence that when it comes to tech management, the Obama administration simply isn't competent.
But remember: There's no higher priority than protecting consumer information and maintaining trust for the consumers. This, apparently, is how the Obama administration manages its highest priorities.