Obamacare contractors had serious data security lapses

Quality Software Services was cited by HHS for exposing data on more than 6 million Medicare recipients

Two contractors that worked on developing healthcare exchanges for the Affordable Care Act, also known as Obamacare, have suffered serious data security lapses, according to a report by Computerworld.

Quality Software Services and Serco have been involved with recent data security incidents, although these incidents were unrelated to the Healthcare.gov website's inability to handle the volume of users looking to sign up for ACA health insurance plans.

IT-Harvest security analyst Richard Stiennon cautioned that efforts to try to "fix" the Healthcare.gov website could lead to shortcuts on security.

Contractor Security Lapses

Quality Software Services, which has developed software code for the Internal Revenue Service, the Social Security Administration and the Centers for Medicare and Medicaid Services websites, was criticized in a June report by the Department of Health and Human Services' Office of the Inspector General for failing to meet federal government security standards.

"Quality Software Services, Inc., did not sufficiently implement CMS-required information system security controls over USB ports and devices, thus risking exposure of personally identifiable information for over 6 million Medicare beneficiaries," the report concluded.

In a statement to Computerworld, the firm said: "We implemented all of the enhancements recommended by the OIG prior to the publication of the final report, and informed CMS of our actions."

Serco won a $1.3 billion contract to process paper applications submitted by individuals looking for health insurance through the online ACA exchanges. In 2012, Serco admitted that it suffered a data breach that exposed Social Security numbers and financial information of more than 123,000 members of the $313 billion Thrift Savings Plan federal retirement plan, Computerworld noted.

The Federal Bureau of Investigation informed Serco about the breach in April 2012, even though it occurred in July 2011.

In response to a Computerworld inquiry, Serco spokesman Alan Hill said in a statement: "We are committed to applying and enforcing a strong information security program and strict controls across all of our contracts and operations. Protecting the privacy of consumers through the paper application process is top priority for Serco and CMS."

For more:
- read the Computerworld article
- check out the HHS report

Related Articles:
Affordable Care Act website reportedly has rough first day
Healthcare.gov sinks upon launch