An online portal run by the Centers for Medicare and Medicaid Services experienced a breach last week, giving hackers access to 75,000 people’s files, the agency announced on Friday.
The breached portal is one used by health insurance agents and brokers assisting people with direct enrollment in the government’s Federally Facilitated Exchanges (FFE). CMS did not say what kind of information the exposed records contain or whether they belong to agents and brokers or insurance-seekers.
“While this is a small fraction of consumer records present on the FFE, any breach of our system is unacceptable,” the agency said.
CMS said it began investigating “anomalous system activity” on Saturday, Oct. 13 and declared a breach the following Tuesday. The agency did not say why it waited until Friday to publicly disclose the breach.
CMS, an agency within the Department of Health and Human Services, did not respond to a request for comment.
The agency said that it disabled the portal used by agents and brokers “out of an abundance of caution” and is working to restore it within a week. It also said it deactivated accounts linked to the suspicious activity.
“It is important to note that CMS is in the beginning stages of the assessment of this breach. This is an evolving situation and we will continue to provide additional information,” the agency said in a press release.
The breach does not affect the operation of HealthCare.gov and open enrollment, CMS administrator Seema Verma said in a statement.
“Our number one priority is the safety and security of the Americans we serve.” Verma said. “We are working to identify the individuals potentially impacted as quickly as possible so that we can notify them and provide resources such as credit protection.”
UPDATE, Oct. 26, 2018 at 10:50 a.m. EDT:
CMS sent out a statement Friday saying that the agent and broker direct enrollment portal for FFE is back online and that it “has worked around the clock to implement new security measures to protect consumer information.”
The agency also said it “can now confirm that no banking, federal tax information (FTI), or protected health information (PHI) was exposed during the breach.”
CMS said that people affected by the breach will be able to apply for free credit protection services once the agency finishes assessing what information was accessed.