Glitches during the rollout of the new Affordable Health Care Act may mask a far more serious problem for customers: protecting sensitive data, reports say.
Maryland's
Health Connection, that state's Obamacare marketplace, has a privacy policy that contains at least two conditions that should give consumers pause,
the Weekly Standard reported Tuesday.
The first involves personal information submitted with an application that is promised to be kept confidential — with one exception, the report said.
"[W]e may share information provided in your application with the appropriate authorities for law enforcement and audit activities," the policy states, the Weekly Standard reported.
The site does not specify whether "appropriate authorities" refers only to state authorities or whether it could include the federal government as well.
Neither is there any detail on what type of law enforcement and/or audit activities would justify the release of the personal information, or who exactly is authorized to make such a determination.
An email to the Maryland Health Connection's media contact seeking clarification wasn't answered, the publication stated.
The second privacy issue that could raise concerns relates to emails: "E-mail correspondence may become a public record. As a public record, your correspondence could be disclosed to other parties upon their request in accordance with
Maryland’s Public Information Act," which has certain
exceptions to the disclosure rules.
The Weekly Standard said that because emails to the marketplace could involve sensitive issues, including finances and health history, "the fact that such information could be made part of the 'public record' could prevent users from being as free with their information than they might otherwise be."
In August, a coalition of attorneys general from 13 states wrote Health and Human Services Secretary Kathleen Sebelius to express concerns over consumer privacy and oversight of counselors who assist enrollees in the exchanges,
The National Review reported.
Chief among the concerns was whether sufficient safeguards were in place to prevent security breaches.
It didn't take long for one such alarming breach.
An employee of Minnesota’s health exchange accidentally sent 2,400 Social Security numbers, complete with names and addresses, to an insurance broker applying to become a navigator,
the Minneapolis Star Tribune reported.
On Tuesday, House Intelligence Committee Chairman Mike Rogers, R-Mich., warned that a federal hub of healthcare information is vulnerable to hackers.
"There is no way in God's green Earth they can secure that system today," Rogers said during an event at D.C.'s Newseum,
hosted by Politico,
The Hill reported.
The data services hub, which is part of the president's healthcare reform law, is used to verify eligibility and share information between state exchanges and federal agencies.
Meanwhile, the Obamacare marketplace in Kentucky has no "expectation of privacy," warning customers their information will be monitored and shared,
the Washington Free Beacon reported.
When clicking "let’s get started" on the state-run health insurance marketplace dubbed
kynect, the user sees a warning notice:
"Users (authorized or unauthorized) have no explicit or implicit expectation of privacy," the notice reads. "Any or all uses of this system and all files on the system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to authorized state government and law enforcement personnel, as well as authorized officials of other agencies, both domestic and foreign."
Such information includes Social Security numbers. When calling kynect to enroll in the marketplace, a person is told to have his Social Security card, immigration status, pay stubs, alimony payments, student loan information, and current health insurance information at the ready.
The kynect disclaimer says users' information can be shared at the will of state government agencies.
"By using this system," the warning states, "the user consents to such at the discretion of the Commonwealth of Kentucky."
A spokeswoman for kynect called the disclaimer "problematic," and said it was a mistake.
"The disclaimer is a federal requirement intended to let all who come on the website know this is a governmental entity and sensitive information is contained within," Gwenda Bond, assistant communications director for the Kentucky Cabinet for Health and Family Services, told the Beacon.
"While the language sounds severe, it actually is a warning to those who might try to inappropriately use the website or any personal information contained within," she said. "We appreciate you bringing this to our attention, and we are working to modify the language so the message is more clear."
Bond said kynect will update its website to read: "This website is the property of the Kentucky Health Benefit Exchange. This is to notify you that you are only authorized to use this site, or any information accessed through this site, for its intended purpose of assisting individuals, employers or employees in the selection or purchase of health plans or other benefits."
As more health-related data is digitized, "the privacy violations are going to be incalculable,"
Jim Pyles, an expert in health law who co-founded the law firm Powers Pyles Sutter & Verville, told CBSNews.com.
But the issue predates the Affordable Care Act. Since 2009 — when the Health and Human Services Department started requiring reporting of data breaches — about 27 million people have been affected by major breaches of unencrypted health data, CBSNews reported.