Privacy expert: Covered California privacy actions ‘worrisome’

by Adam O'Neal | December 10, 2013 10:43 am

Obamacare waiver for Reid, Allie, cagle, Dec. 10, 2013[1]It isn’t just the federal Affordable Care Act website, healthcare.gov[2], that has suffered unacceptable “glitches” that President Obama has decried[3]. So has our state’s implementation, Covered California[4], whose problems include low Latino enrollment.

One of the most disconcerting, and persistent, worries about each website is security. The federal website, which has become more usable since its widely mocked launch, has made little progress in improving security. TrustedSec CEO David Kennedy, an internet security expert, told the Washington Free Beacon[5] that it “doesn’t appear that any security fixes were done at all.”

He went on:

“There are a number of security concerns already with the website, and that’s without even actually hacking the site, that’s just a purely passive analysis of [it],” he said. “We found a number of critical exposures that were around sensitive information, the ability to hack into the site, things like that. We reported those issues and none of those appear to have been addressed at all. …

“They said they implemented over 400 bug fixes,” he said. “When you recode the application to fix these 400 bugs — they were rushing this out of the door to get the site at least so it can work a little bit — you’re introducing more security flaws as you go along with it because you don’t even check that code.”

While the federal website’s security issues may be disconcerting — after all, it collects data such as Social Security numbers and some medical information — there is a whole other problem in California.

Covered California’s primary privacy problem isn’t hacking. It’s that Covered California is knowingly giving away some private information — information that users explicitly requested not be shared.

The Los Angeles Times reported on Friday night[6] that Covered California gave insurance agents the names and contact information of tens of thousands of people who requested that their information remain private. Officials justified their action by saying it was necessary to help people sign up so Covered California could meet its deadline. Fortunately, consumers’ Social Security numbers and medical records were safe; the insurance agents only received names, addresses, e-mail addresses and phone numbers.

Peter Lee, the executive director of Covered California, told the Times, “I can imagine some people may be upset. … But I can see a lot of people will be comforted and relieved at getting the help they need to navigate a confusing process.” Of course, it is unclear why people being contacted (after explicitly asking not to be) would be relieved.

‘Worrisome’

Lee said Covered California’s lawyers approved the decision. But Mari Frank, an attorney and certified information privacy professional, told CalWatchdog.com that the choice to ignore consumers’ requests and share the information was “worrisome.”

“I think it was poorly decided — there is so little trust as it is — and consumers are already fearful of ID theft and fraud,” she said.

She added that, while government agencies sharing information with law enforcement and other government agencies is fairly common, sharing personal information with private companies was a new concern.

Ultimately, though, the decision about whether or not to share this kind of information should be a simple one. Frank said, “The government should not share information without prior consent.”

Endnotes:
  1. [Image]: http://calwatchdog.com/wp-content/uploads/2013/12/Obamacare-waiver-for-Reid-Allie-cagle-Dec.-10-2013.jpg
  2. healthcare.gov: https://www.healthcare.gov/
  3. President Obama has decried: http://www.zdnet.com/obama-dubs-healthcare-gov-glitches-unacceptable-calls-in-tech-support-7000022165/
  4. Covered California: https://www.coveredca.com/
  5. told the Washington Free Beacon: http://freebeacon.com/expert-healthcare-gov-security-risks-even-worse-after-fix/
  6. The Los Angeles Times reported on Friday night: http://www.latimes.com/business/la-fi-exchange-names-disclosed-20131207,0,1224576.story#axzz2n0eE88No

Source URL: https://calwatchdog.com/2013/12/10/privacy-expert-covered-california-privacy-actions-worrisome/