Application Sets Off Privacy Alarm Bells
Opinion Application Sets Off Privacy Alarm Bells


I am now among the more than 4 million who've accessed to review and select policies. The experience was disconcerting.

Although I know a bit more about insurance than most Americans — I've been writing about it for more than quarter century — the process still raised some palpable privacy concerns. Actually picking a policy is also daunting; the government isn't providing enough help online to make it any easier.

Related: Obamacare Enrollment Slows Ahead of Deadline

Some background: I currently have an affordable private catastrophic policy for my family. It's minimal coverage, but it will pay for serious illness and hospitalizations, which, unfortunately, is part of my family's medical history (cancer, emergency room/intensive care). The premium is around $600 a month with a $5,800 deductible.

I don't expect these costs to remain the same this coming year — I've always been hit with an annual increase — nor do I expect this kind of policy to continue. Eventually all policies must be compliant with the basic provisions of the Affordable Care Act (ACA).  So I've been shopping for a policy through as well as private exchanges.

Back in October 2013, I applied to the online marketplace. Any number of well-publicized technical snafus kept me out of the system for months. When I went back to apply last week, even though I had called the government hotline for assistance, I was unable to log in.

The account I attempted to set up was "locked or disabled," which I was told by the representative could be restarted if I re-applied. I did that, but I was still unable to get into the system. was unable to affect a technical fix on their end through the hotline, even though I had entered a bevy of personal information such as Social Security numbers for my entire family. Is it lost? representatives couldn't tell me, although they assure me that my privacy is protected. I'm dubious.

Outside of the Comfort Zone
With another email address, I was able to review policy options through the exchange site. I felt somewhat relieved — until I faced a gauntlet of questions that were troubling.

Some of the queries were necessary: Names of family members, their relation to me and standard demographic questions on ethnicity. Were we members of a "federally recognized tribe"? Were any of the children adopted? Was I in jail? 

Then there was the tacit statement that the Department of Health and Human Services might access records of the Internal Revenue Service (IRS) and Department of Homeland Security. Would they also share this information with — or be accessed by — the National Security Agency or other federal agencies? There was nothing on the website that guaranteed that wouldn't happen, except for the boilerplate privacy protection statement.

The NSA seems to have tapped everything from cellphone conversations to emails. I suppose if the NSA wanted to get into this database, they wouldn't have a problem since it's so new and probably not hacker proof. All I want to do is apply for an affordable policy, so I don't know how much use my family's information would be to them. Still, that dark thought lingers that our personal data could be purloined and abused.

I could see why would crosscheck with the IRS to verify reported income. That would ensure that those receiving subsidies qualified for them. And I can imagine the huge political blowback if they were granting insurance to non-citizens, hence the Department of Homeland Security question.

Related: 10 Top Questions Consumers Ask About Obamacare

But also asked verification questions about a past employer and residences that seemed kind of strange. I had already gone through a verification process so convoluted that it nearly put me off applying through the government.

Since I couldn't do verification online — where a credit agency can check my background in seconds — I had to mail a copy of my driver's license to a address in London, Kentucky. I was told the verification process would take two weeks. It took more than a month before I received a letter for "approval to submit your online application."

Still the security concerns with the online exchange persist. While I'm certainly no cybersecurity expert, earlier this year David Kennedy, CEO of the security firm TrustedSec wrote this:

My opinion on isn’t because of any form of hacking, or attempting to breach its security, it comes from years of working on the exact same flaws for companies that experience large-scale breaches or organizations that want to understand what types of exposures they have, and these are symptomatic of a much larger problem.

While the Centers for Medicare and Medicaid Services (CMS), which administers, collects the information submitted online, it's not clear what they are doing to protect against hacking. They state that they are complying with all federal privacy laws, but I suspect those statues are not up to date.

Keep in mind that much, if not all of the information submitted, is going to be shared with third parties such as insurers and the credit-reporting firm Experian (for identity verification), in addition to the other federal agencies mentioned above.

Those are a lot of eyeballs on your personal data. What is the government doing to ensure that these third parties are secure with the information they receive? Again, it's not clear, although here's their individual privacy statement:

Identity Verification involves Experian using information from   your consumer report profile to help confirm your identity. As a result, you may see an entry called a “soft inquiry” on your Experian consumer report. Soft inquiries are visible only to you, will never be presented to third parties, and do not affect your credit score. The soft inquiry will be titled “CMS Proofing Services” and will be removed from your Experian consumer report after 25 months.

As we've seen, there have been multiple hacks of personal information from Target, Neiman-Marcus and dozens of medical services companies. Hacking is a decentralized, 24/7 global operation that strives to steal personal information — and resell it — on an ongoing basis.

As the rate of uninsured Americans drops — a positive development — there are nagging details that need to be addressed with the March 31 deadline for coverage looming. The government's operation of has done little to inspire confidence on the technical or security side.

Although there's little I or the millions who have applied for insurance can do to directly protect our personal information, it would be wise to check your credit records on a regular basis. It's not much of a safeguard, although it seems like a cheap alarm system for identity theft in lieu of meaningful system security.

Top Reads from The Fiscal Times: