Washington, D.C. – The Subcommittee on Research and Technology and the Subcommittee on Oversight today held a joint hearing to question the government’s decision to allow as many as 50 data mining companies direct access to monitor information entered on the HealthCare.gov website.  Americans who have visited HealthCare.gov may have been monitored by these companies without their consent or knowledge.  Witnesses today discussed both the privacy implications to consumers’ personal information and whether these third party connections add vulnerabilities to the security of the website.

Research and Technology Subcommittee Chairwoman Barbara Comstock (R-Va.): “While some may characterize this as a harmless collection of data, it can actually be much more revealing. You can get a new credit card when your old one is hacked.  But once personal health information is compromised, it could be out there forever.  That is why health and health insurance information is reportedly worth up to ten times as much as credit card information on the black market. Privacy protections at federal government websites should be the gold standard, setting the bar for others to follow.”

The Associated Press recently reported that when a person applies for coverage through HealthCare.gov, numerous data mining companies immediately become aware of the individual’s online presence.  They can then search for sensitive personal information that applicants are required to enter, which may include: age, income, ZIP code, whether one is pregnant, whether one smokes and more.  A recent MIT study of credit card data revealed that only four pieces of outside information about a user, including one’s social media activity, were sufficient to identify a person in the database of a million people.

Various reports issued in the past few months by federal watchdog agencies have identified privacy and security concerns about HealthCare.gov.  For example, a GAO report from last fall identified weaknesses “in the processes used for managing information security and privacy as well as the technical implementation of IT security controls.”

Oversight Subcommittee Chairman Barry Loudermilk (R-Ga.): “Cybercriminals appear to be increasingly interested in the personal information collected by U.S. insurers, so much so that a recent Reuters article warned that 2015 could be ‘the Year of the Healthcare Hack.’ So far, it looks as though they are right. Just last week, it was disclosed that a database containing personal information for about 80 million customers of health insurer Anthem, Inc. was hacked. It is feared that this breach exposed names, birthdays, addresses, and Social Security numbers – all information that the HealthCare.gov website requests of its customers. As someone with a background in the IT sector, I find what appears to be extensive tracking of Americans’ personal information extremely disconcerting and unnecessary.”

Last month, Chairman Lamar Smith (R-Texas) sent several letters seeking an explanation. Access to HealthCare.gov was apparently provided with permission and even encouragement from the federal government to companies who profit from gathering and selling personal information.

Today’s hearing is a precursor to one at which the Committee will invite witnesses from the federal government to answer specific questions about the HealthCare.gov contracts with third party companies. 

The following witnesses testified:
Ms. Michelle De Mooy, Deputy Director, Consumer Privacy, Center for Democracy and Technology
Mr. Morgan Wright, Principal, Morgan Wright, LLC

For more information on the hearing, including a link to the LIVE webcast, visit the Committee website.