Washington, D.C. – Science, Space, and Technology Committee Chairman Lamar Smith (R-Texas) today issued a subpoena to the Centers for Medicare & Medicaid Services (CMS) for documents and information concerning allegations that personal information is being collected and stored for all individuals who open an account on the HealthCare.gov website. For months, the Committee has demanded documents related to the data warehouse system that supports HealthCare.gov, otherwise known as the Multidimensional Insurance Data Analytics System (MIDAS). 

Chairman Smith: “The Science Committee wants to know how the federal government collects and manages Americans’ personal information. It appears that information is stored for all individuals who open an account on HealthCare.gov, regardless of whether they sign up for coverage. According to information obtained by the Committee, at least 327 employees have access to the MIDAS database, including over 100 users with access to Americans’ personally identifiable information. The agency’s failure to produce a responsive answer insults Americans worried about the exposure of their personal information. Today I issued a subpoena to compel the administration to be open and honest about its data collection and storage through the Obamacare website.”

In September 2015, the Office of Inspector General (OIG) for the U.S. Department of Health and Human Services released an audit regarding the $110 million data warehouse system. The audit highlighted a number of technical deficiencies, including software bugs, some of which were classified as high risk, failure to conduct automated vulnerability scans, failure to disable generic accounts used for maintenance or testing, and using a shared read-only account for access to the database, making it difficult to tell which individuals have access to the information and when individuals access the database. 

Cyber security experts testified before the Committee that a necessary component of mitigating the security risk to MIDAS includes not storing excessive information.  Additionally, a case study released by the OIG in February 2016, appears to show that White House staff caused delays in finalizing HealthCare.gov by closely scrutinizing career employees at CMS.  This information, coupled with the findings in the OIG audit, raise serious questions about whether CMS has the necessary controls in place to ensure that information stored within MIDAS is not compromised. 

According to the Department of Health and Human Services, personally identifiable information is being collected or maintained by this system and includes the following: social security numbers, dates of birth, names, mailing addresses, phone numbers, financial accounts information, military status, employment status, passport numbers, and taxpayer IDs.

The administration has never appeared to be forthright about the use and storage of personal information on HealthCare.gov, and has yet to explain the reason for indefinitely storing user information, particularly when some of the users did not even enroll on the website. The Chairman today issued a subpoena for all documents and communications related to the MIDAS data storage facility.

The cover letter to the subpoena can be found HERE.