John Fund: Feds violate hacking disclosure laws on ACA site
The federal government has exempted itself from having to tell people signing up for the Affordable Care Act whether or not their classified information has been hacked by cyberthieves, says John Fund, a national affairs columnist for National Review Online.
“They’ve exempted themselves from the law and it’s just appalling. I mean every private business, if you’re a customer and you get hacked, they have to tell you at least about it so you can change your credit cards or take other precautions,” Fund told “The Steve Malzberg Show” on Newsmax TV.
“The state healthcare exchanges … they have to in most cases tell you but not the federal government. In other words, it’s one law for thee and one law for me, is the government’s attitude.”
Fund, who is also senior editor at The American Spectator, said officials last year decided to give themselves a pass on having to disclose anything about hacking problems.
“In 2012, they had a meeting on the final rules of Obamacare. Security experts showed up and testified … you’ve got to include this warning, this transparency rule, and they said, no, we choose not to,” he said.
“Now, the reason why that’s important is this: in September when they were rushing to get the website up … it was such a mess that the chief information security officer … refused to sign off on the website being safe from hackers and from others and then her boss refused to sign off on it.”
In an article on the National Review website Monday, Fund referenced the recent hacking that threatens the credit and debit card information of 40 million Target customers, a security lapse that has led to widespread criticism of the retail giant.
Fund wrote, “At least Target informed its customers of the security breach, as it is required by federal law to do. HealthCare.gov faces no such requirement; it need never notify customers that their personal information has been hacked or possibly compromised. The Department of Health and Human Services was specifically asked to include a notification requirement in the rules it designed for the health-care exchanges, but HHS declined.”
Republicans on Capitol Hill have also made comparisons with the Target hacking.
“The difference is that Target notified consumers when a breach occurred, but the scary part here is that [Obamacare] consumers are not necessarily going to be told that their personal information has been breached,” Tom Flanigan, press secretary for Republican Rep. Diane Black of Tennessee, told Newsmax Tuesday.
“No one is forced to shop at Target, but they are forced to participate in the exchanges and to input very personal health information,” Flanigan said.
Black has introduced the Federal Exchange Data Breach Notification Act of 2013, which would require the federal government to notify individuals if their personal information has been exposed or compromised.
CNN reported in November that more than a dozen cyberattacks were attempted on the website up to that time, according to a Homeland Security Department official. The article reported the House Homeland Security Committee testimony of database expert Luke Chung, who told the committee that the many technical failings of the website did not bode well for its ability to secure data.
“[When you have an environment where the developer can barely get the web site functional, security is way down on the list of things to take care of. Security has to be built-in at the very beginning not at the very end,” Chung said.
In his National Review article, Fund quotes Bruce Webster, “a consultant who has advised companies for 40 years on IT issues,” terming the administration’s hacking disclosure policy as “security through obscurity.”
“They do not want to talk about their security measures; they do not want to talk about their security breaches; they do not want to inform affected citizens of compromised personal information,” Webster told Fund.
“Their attitude reminds me of Lily Tomlin’s character Ernestine as an AT&T operator back when AT&T had a monopoly: “We don’t care. We don’t have to. We’re the phone company.”
For more on this story go to: