Skip Navigation
United States Flag

An official website of the United States government. Here's how you know >

A New Look for HHS-OIG. Learn More >>

Change Font Size

Transcript for audio podcast: Health Insurance Marketplaces Generally Protected Personally Identifiable Information but Could Improve Certain Information Security Controls

From the Office of Inspector General of Department of Health and Human Services

[Sheri Fulcher]: Hi, I'm Sheri Fulcher, a Regional Inspector General, here with Tom Salmon, an Assistant Inspector General for Audit Services. We're going to talk about OIG's work looking at the security of consumer information on the Federal website, as well as two State health insurance Marketplaces: Kentucky and New Mexico. Tom, why did OIG do these reviews?

[Tom Salmon] We did these reviews to determine whether marketplaces protected sensitive applicant information. It's critical that personally identifiable information, which we call P-I-I, be secure.

[Sheri Fulcher] What did you focus on in these reviews?

[Tom Salmon] We reviewed safeguards designed to protect sensitive data used by the Marketplaces. We checked to see if the Marketplaces implemented these safeguards according to Federal requirements.

[Sheri Fulcher] How did you test the security safeguards?

[Tom Salmon] As explained in our summary report, we used a variety of testing methods. For example, we used specialized tools that help detect potential security risks and vulnerabilities. We also looked at security assessments done by the Federal and state agencies that oversee the marketplaces. We checked to see if these agencies fixed the vulnerabilities they identified.

[Sheri Fulcher] So what did you find?

[Tom Salmon] We found that, at the time of our reviews, the Federal and State marketplaces generally protected PII, but could improve some security controls to minimize vulnerabilities.

[Sheri Fulcher] Tell us about what you found at the Federal website.

[Tom Salmon] The Centers for Medicare & Medicaid Services, or CMS, operates At the time of our review, we found that CMS had taken steps since the October 1 launch of to lower the security risks associated with the systems and consumer data. However, we also found that CMS needed to improve its processes for testing the security of the Marketplaces.

[Sheri Fulcher] What about the security of the Kentucky and New Mexico marketplaces?

[Tom Salmon] We found that the responsible agencies implemented security controls to prevent Marketplace website vulnerabilities. But - they can still improve their security controls.

[Sheri Fulcher] Did CMS and the States agree with OIG's findings and recommendations?

[Tom Salmon] Overall, CMS, Kentucky and New Mexico agreed. OIG provided Federal and State officials with detailed information and recommendations to fix vulnerabilities.

[Sheri Fulcher] Anything else?

[Tom Salmon] Protecting consumer's personal information is crucial. OIG will continue to examine the security of information systems used by the new Affordable Care Act insurance marketplaces.

[Sheri Fulcher] Thank you Tom.

[Tom Salmon] Thank you.


Return to Podcasts

Office of Inspector General, U.S. Department of Health and Human Services | 330 Independence Avenue, SW, Washington, DC 20201