California Implemented Security Controls Over the Web Site and Databases for Its Health Insurance Exchange but Could Improve Protection of Personally Identifiable Information

Covered California, California's health insurance exchange, implemented security controls over the Web site and databases for its health insurance exchange, but improvements are needed to fully comply with Federal requirements and to increase protection of personally identifiable information (PII).

We reviewed Covered California's information security controls in place as of June 2014. We found that Covered California had implemented security controls, including policies and procedures, to protect PII on its Web site and databases but had not performed a vulnerability scan in accordance with Federal requirements. Also, Covered California's security plan did not meet some of CMS's minimum requirements for protection of marketplace systems, and Covered California did not have secure settings for some user accounts.

We recommended that Covered California implement our detailed recommendations to address the specific findings we identified.