20131112

Problem ID: 4120113249525612564
Entered by: Ben Simo
Is there a problem here?  

Healthcare.gov stores none of that data?

 

 I would tell you
we are storing the minimum amount of data,
because we think that's very important.
The hub is not a data collector.
It is actually using data centers
at the IRS,
at Homeland Security,
at Social Security
to verify information,
but it stores none of that data.

- HHS Secretary Kathleen Sebelius


Healthcare.gov does not only use data from other sources to verify information, it returns that information to the web browser. Here is some of the data returned to the web browser that I did not enter. This is data retrieved from other systems and returned to my web browser while I was filling out an insurance application on the Healthcare.gov Insurance Marketplace -- also known as "The Hub".

In the below example, I have replaced my personal information with: REDACTED.


{
"csrf" : null,
"identifier" : "REDACTED",
"datetime" : "2013-11-08TREDACTED",
"memberEligibility" : null,
"memberVerification" : {
"csrf" : null,
"requestSentDate" : null,
"resultReceivedDate" : null,
"reasonText" : null,
"resultText" : null,
"indicator" : null,
"sourceName" : null,
"memberVerificationType" : "Income",
"incomeVerification" : null,
"ssaNameControlText" : null,
"timer" : null,
"adjudicator" : null,
"verificationActiveIndicator" : false,
"memberVerificationTypeName" : null,
"memberIncarcerationVerification" : null,
"dataSourceType" : {
"csrf" : null,
"dataSourceTypeCode" : "EDS",
"dataSourceTypeName" : "EDS",
"dataSourceExternalIndicator" : true
},
"dataFoundIndicator" : true,
"verificationDeterminationDateTime" : "2013-11-08TREDACTED",
"memberResidencyVerification" : null,
"addressServicedIndicator" : false,
"medicaidStateIndicator" : false,
"memberImmigrationStatusVerification" : null,
"ssnVerified" : false,
"citizenshipVerified" : false,
"edsResponseExpected" : false,
"dhsResponseCode" : null,
"requestIdentifier" : null,
"dataExpectedIndicator" : true,
"reportedHubErrorTypeCode" : null,
"reportedHubErrorTypeName" : null,
"requestedApplicationMemberNonESIMecVerification" : [],
"mecOtherPublicNonEsiInconsistencyCount" : null,
"memberCurrentIncomeVerification" : {
"csrf" : null,
"preliminaryMedicaidMAGIIndicator" : null,
"preliminaryAPTCIndicator" : null,
"currentIncomeInconsistantExplanationText" : null,
"requestedCurrentIncomeSourceVerification" : [{
"csrf" : null,
"reportedIncomeFrequencyTypeCode" : "REDACTED",
"reportedIncomeFrequencyTypeName" : null,
"classifyingIncomeSourceTypeCode" : "REDACTED",
"classifyingIncomeSourceTypeName" : null,
"currentIncomeVerificationSourceAmount" : REDACTED (my current monthly income),
"currentIncomeVerificationStatusReceivedDateTime" : null,
"currentIncomeVerificationRequestIdentifier" : null,
"currentIncomeVerificationStatusReasonText" : null,
"currentIncomeVerificationStatusIndicator" : "Y",
"currentIncomeVerificationDataFoundIndicator" : false,
"currentIncomeVerificationDataExpectedIndicator" : true,
"currentIncomeVerificationDeterminationDateTime" : "REDACTED",
"reportedMemberCurrentIncomeSourceSystemError" : [],
"periodCycleTypeCode" : null,
"periodCycleTypeName" : null,
"percentThreshholdCurrentIncome" : null,
"percentThreshholdLimit" : null,
"definingVerificationStatusReasonTypeCode" : null,
"providingIncomeOrganization" : {
"csrf" : null,
"officeSymbolText" : null,
"businessStatusDate" : null,
"organizationStructureType" : null,
"externalOrganizationIdentifier" : [{
"csrf" : null,
"text" : "REDACTED (my employer's tax ID)",
"effectiveDate" : null,
"organizationIdentifierType" : {
"csrf" : null,
"identiferTypeName" : null,
"identifierTypeCode" : null
}
}
],
"issuerOrganization" : null,
"organizationNomenclature" : [{
"csrf" : null,
"effectiveDate" : null,
"text" : "REDACTED (my employer's name)",
"nomenclatureType" : null
}
],
"issuerUser" : [],
"organizationType" : null,
"organizationAddress" : [{
"csrf" : null,
"organizationAddressEndDate" : null,
"addressPlace" : {
"csrf" : null,
"zipPlus4Code" : "REDACTED",
"streetName1" : "REDACTED (my employer's address)",
"streetName2" : null,
"cityName" : "REDACTED",
"stateCode" : "REDACTED",
"countryCode" : null,
"concurrencyHash" : null,
"countyName" : null,
"countyFipsCode" : null
},
"organizationAddressCategoryCode" : null,
"organizationAddressStartDate" : null
}
],
"organizationIdentifier" : null,
"organizationEmail" : [],
"organizationTelephone" : [],
"companyEmailDomainName" : null,
"organizationBusinessStatus" : null,
"organizationURL" : [],
"employerOrganization" : null
},
"calculatedMonthlyIncomeEquivalentIndicator" : false,
"mostRecentHireDate" : "REDACTED (the date I was hired)",
"payPeriodEndDate" : "REDACTED (the date of my last paycheck)",
"employmentTerminationDate" : null,
"payRate" : REDACTED (the amount of my last paycheck),
"payRateFrequencyCode" : REDACTED,
"workHourQuantity" : REDACTED,
"ongoingMonthlyBenefitCreditedAmount" : null,
"personDisabledIndicator" : false
}
],
"currentIncomeInconsistantExplanationIndicator" : null,
"pendingMedicaidReasonText" : null
},
"reportedSourceSystemError" : [],
"taxHouseholdSizeDifference" : null,
"useAnnualIncome" : null,
"supportingPhysicalDocument" : [],
"applicantPregnancyCategoryIndicator" : null,
"applicantChildCategoryIndicator" : null,
"priorNumbersMatch" : false,
"notToBeCheckedStatus" : false,
"priorSSNCitizenshipDataMatch" : false,
"finalizingDataSourceType" : {
"csrf" : null,
"dataSourceTypeCode" : null,
"dataSourceTypeName" : null,
"dataSourceExternalIndicator" : false
},
"statusExpired" : null,
"chipOrMAGIEligibleStatus" : null,
"memberTitleIIWorkQuarterVerification" : null,
"priorUSCitizenIndicator" : null,
"householdSize" : null,
"incomeEligibleUnderRPCIndicator" : null,
"requestedApplicationMemberESCMecVerification" : [],
"relatedApplicationMemberVerificationTask" : null
},
"memberCalculation" : null,
"memberEventType" : "Verification",
"id" : null
}


The system also appears to return Title II Social Security income and incarceration history. As neither of these apply to me, the values are mostly null or false. The above example is the result of one of many verification events I see in the JSON object returned to my web browser. I suspect there may be even more personal data retrieved from the back end systems for people in situations that differ from mine.

I understand that this data may be needed to process an insurance application, but I can think of no good reason to return all this data to the web browser. Returning such data retrieved from back end systems to the web browser increases the damage than can be done (and the value to identity thieves) in cases that accounts are compromised. And, if one has already obtained another's Name, date of birth, and Social Security Number, I suspect that Healthcare.gov could be easily used to gather more information.

Healthcare.gov may have created a web portal into government systems that were previously secured from unauthorized access. This is reckless web design.

  Edit

0 Comments:

Post a Comment