---- — Republicans this week plan to put yet another criticism of the Affordable Care Act front-and-center on the House floor. It is another political weapon, but if treated seriously, this one could lead to useful reform.
For the past several weeks, Republicans have claimed that the Web site HealthCare.gov and the systems behind it may not be secure enough to keep Americans’ personally identifying information safe. They have selectively released evidence they collected through their oversight efforts to make it seem as though the site has major security vulnerabilities. In response, Democrats presented selective evidence of their own. The Department of Health and Human Services (HHS), meanwhile, reported that “there have been no successful security attacks on HealthCare.gov, and no person or group has maliciously accessed personally identifiable information from the site.” The administration also said that the site is fully compliant with federal security standards.
That’s presumably true, but those standards could use some upgrading. HealthCare.gov no doubt has some vulnerabilities, as do many other sites. Data breaches of well-protected government — and, for that matter, private — systems containing sensitive information indicate that HealthCare.gov would hardly be unique in this regard, even if it is a uniquely tempting political target. ACA sites don’t collect the breadth of sensitive personal data that other federal systems, such as Medicare’s, do.
The House Republicans’ bill would require the government to notify victims of any illegal security breach in the ACA’s systems within two business days. If that makes sense for HealthCare.gov, though, why not require the same of other sensitive federal systems, too?
If Republicans want to pass useful policy, rather than simply throw another bomb at the ACA, they should detach their proposal from anti-Obamacare politics and vote on a broader federal transparency requirement, or even renew their push for more ambitious federal cybersecurity reforms. There are Democrats who would join in such a project; a proposal to update federal data security standards last year passed the House unanimously. A bigger effort would be well worth it, though the two-day notification requirement is probably unrealistic.
It would be unfortunate, though, if Republicans succeeded in scaring Americans away from enrolling in health-insurance plans, undoubtedly a goal for some. Many uninsured Americans, in particular, have a lot more to gain than lose from logging into HealthCare.gov, examining their options, calculating the government subsidies they qualify for — and signing up.