D.C. Health Exchange Needs Broker Identity Theft Posse

Hashed strings of information about attempted computer account log-ins

What You Need to Know

The breach included some Social Security numbers and affected more than 56,000 individuals, including 17 members of Congress.
Only 19.1% of the people have signed up for the identity theft protection service offered for one credit bureau.
That compares with a typical identity theft protection take-up rate of just 4% for average breach victims.

The builders of the Affordable Care Act health insurance exchange system once wondered whether agents and brokers would have a role in the health insurance market.

Now, the managers of the ACA public exchange for the District of Columbia are turning to brokers to help persuade more users to protect themselves against the effects of a recent data breach.

The breach, which was discovered March 6 and announced March 8, exposed the personal information of about 56,415 exchange users, including 17 members of Congress. Data thieves posted at least two batches of data, including the Social Security numbers and email addresses of at least some users, on identity information markets.

Mila Kofman, executive director of the D.C. Health Benefit Exchange Authority, the agency in charge of the DC Health Link exchange, testified Wednesday that the exchange hopes brokers and business organizations will help it get more exchange users’ attention, warn them that thieves might have sold their Social Security numbers and other personal data, and persuade them to sign up for free credit bureau identity theft defense services.

“We did two briefings for our brokers,” Kofman said, at a hearing on the breach organized by the House Oversight cybersecurity subcommittee and the House Administration oversight subcommittee. “Ninety-two percent of our employers have a broker, and we asked our brokers to notify their clients about this breach.”

What It Means

Aside from needing you to help consumers plan for the future and protect themselves against mortality, morbidity and longevity risk, financial services organizations need you to get people to pay attention when identity thieves have put information about their home addresses and Social Security numbers up for sale on the “dark web.”

See also  First Chicago Insurance Company Review

In the long run, the hacking itself could be of as much concern for retirement planners in the District of Columbia as for health insurance brokers, because criminals could try to use any DC Health Link data purchased to set up investment accounts under fake names, or even to try to steal cell phones from specific homes and use a combination of the cell phones and the Social Security numbers to take over clients’ bank accounts, mutual funds, annuities, life insurance policies, or other financial services accounts and assets.

DC Health Link

Congress included the ACA public exchange system in the Affordable Care Act, a package of two statutes passed in 2010. The District of Columbia and individual states run local ACA exchanges in some jurisdictions, and the Centers for Medicare and Medicaid Services runs a federal program, HealthCare.gov, for jurisdictions unable or unwilling to run their own exchange programs.

Congress tried to show its solidarity with other exchange users by requiring members of Congress and some congressional aides to get their own health coverage through the exchange system. Because of that rule, many members of Congress and other exchange users get their coverage through DC Health Link.

In March, the exchange had 14,547 individual coverage enrollees and 86,482 enrollees in 5,324 group plans, according to an enrollment summary included in an exchange board meeting document packet.

Kofman noted in the written version of her hearing testimony that DC Health Link faces an average of 2,000 malicious attacks per day and has a cybersecurity program that includes technology from the kinds of providers used by U.S. military and intelligence agencies.

See also  Orion Realigns Operations, Names 3 New Execs

The Breach

The breach appears to be related to a reporting system configuration error that has been in place since 2018, Kofman said at the hearing.