Skip Navigation
United States Flag

An official website of the United States government. Here's how you know >

A New Look for HHS-OIG. Learn More >>

U.S. Flag An official website of the United States government.
Change Font Size

Audit (A-18-14-30011)

Health Insurance Marketplaces Generally Protected Personally Identifiable Information but Could Improve Certain Information Security Controls

Complete Report

Download the complete report

Adobe® Acrobat® is required to read PDF files.


This summary report provides an overview of the results of three reviews of the security of certain information technology at the Federal, Kentucky, and New Mexico Health Insurance Marketplaces. These reviews generally examined whether information security controls were implemented in accordance with relevant Federal requirements and guidelines and whether vulnerabilities identified by prior assessments were remediated in a timely manner.

Although CMS had implemented controls to secure and consumer personally identifiable information (PII) on the Federal Marketplace, we identified areas for improvement in its information security controls. Kentucky had sufficiently protected PII on its Marketplace Web sites and databases in accordance with Federal requirements. However, opportunities to improve the Kentucky Marketplace's database access and information security controls remain. Although New Mexico management had implemented security controls, policies, and procedures to prevent vulnerabilities in its Web site, database, and supporting information systems, its information technology policies and procedures did not always conform to Federal requirements to secure sensitive information stored and processed by the New Mexico Marketplace.

We recommended that the Marketplaces' management address the findings identified in its reports.

On September 4, 2014, CMS issued a statement regarding an intrusion on a server that supports testing of but does not contain consumer personal information. The intrusion occurred after the period of our audit and involved technology outside our audit scope.

Office of Inspector General, U.S. Department of Health and Human Services | 330 Independence Avenue, SW, Washington, DC 20201