Ugh: KFF reports on an important security flaw at HealthCare.Gov

It's been a long time since I've reported on any significant cybersecurity problems at any of the ACA exchanges. The last one I can think of off the top of my head was nearly a decade ago, and even that was about how some early flaws had been fixed.

Still, this story by Julie Appleby of KFF definitely isn't good news:

Unauthorized enrollment or plan-switching is emerging as a serious challenge for the ACA, also known as Obamacare. Brokers say the ease with which rogue agents can get into policyholder accounts in the 32 states served by the federal marketplace plays a major role in the problem, according to an investigation by KFF Health News.

Indeed, armed with only a person’s name, date of birth, and state, a licensed agent can access a policyholder’s coverage through the federal exchange or its direct enrollment platforms. It’s harder to do through state ACA markets, because they often require additional information.

Well, if nothing else, this adds adds another reason for states to consider moving to their own state-based exchange, anyway...

...The growing outcry from agents who have had their clients switched by rivals — which can steer monthly commissions to the new agent — casts a shadow on what otherwise has been a record year for ACA enrollment.

...Federal regulators are aware of the increase in unauthorized switching and say they have taken steps to combat it. It’s unclear, though, if these efforts will be enough.

On Feb. 26, the Centers for Medicare & Medicaid Services sent a “plan switch update” to industry representatives acknowledging “a large number” of 2024 cases and outlining some of its technical efforts to resolve problems when complaints are lodged.

...Wu did not answer specific questions about whether two-factor authentication or other safeguards would be added...

Unlike many of the attacks which have been lodged against HealthCare.Gov over the years (not so much recently), this one sounds like a legitimate problem.

Complaints gained momentum during the most recent open enrollment period, agents say. One worker in a government office that helps oversee operations of the federal exchange told KFF Health News of personally handling more than 1,200 complaints about unauthorized switches or enrollments in the past three months, averaging about 20 a day.

I mean, that makes sense given that enrollment across the 32 HealthCare.Gov states is up 38% this year, but the phrasing of this makes it sound like the unauthorized switches have risen more than 38%.

Florida, Georgia, and Texas appear to be plan-switching hotbeds, agents say. Florida and Texas officials referred questions to federal regulators. Bryce Rawson, press secretary for the Georgia Department of Insurance, says the state saw no switching complaints last year and has about 30 so far in 2024, a small number but one it is taking seriously.

It sounds like this is a crime which the broker community only gained widespread knowledge of recently. Not exactly surprising that those three states top the list, however; they have the highest exchange enrollment of any FFM state, and combined have over 9 million enrollees...55% of all FFM enrollment and 42% of exchange enrollment nationally. So yeah, I'd expect them to have the highest number of these incidents as well.

...By contrast, states that run their own marketplaces — there are 18 and the District of Columbia that do — have been more successful in thwarting such efforts because they require more information before a policy can be accessed, Brooker said.

In Colorado, for example, customers create accounts on the state’s online market and can choose which brokers have access. Pennsylvania has a similar setup. California sends a one-time password to the consumer, who then gives it to the agent before any changes can be made.

These all sound like basic, wise measures to take. HealthCare.Gov should proceed similarly as quickly as feasible.

Adding such safeguards to healthcare.gov could slow the enrollment process.

Yeah? Tough. Add them anyway.

I should also note that this may be one of the reasons why the state-based exchanges haven't seen the same enrollment growth levels as the federal exchange overall the past couple of years. The major reasons have to do with whether or not the state has expanded Medicaid or has Enhanced Direct Enrollment integration (FFM states do; SBM states don't yet), but this could be another piece of the puzzle.