Since the hacking at Target I’ve received emails from the store and my bank informing me of the data breach (it doesn’t appear I was personally effected) and letting me know I should keep an eye on my account statement. Target offered free credit monitoring and gave customers a 10% discount over the weekend.
The government, on the other hand, is not obligated to inform you of a data breach, even if you are personally effected. That is by design.
The Federal Register tells the tale about what happened on March 27, 2012, at a meeting on the issue.
At that meeting, two commenters asked HHS to ensure the exchanges would promptly notify affected enrollees in the event of a data breach or unauthorized access to the exchange’s databases. One commenter suggested that a full investigation be launched each time such a breach occurred, with the goal of holding hackers legally and financially accountable for breaking into the website.
According to a report by the group Watchdog.org, HHS responded: “We do not plan to include the specific notification procedures in the final rule. Consistent with this approach, we do not include specific policies for investigation of data breaches in this final rule.” In other words, the government doesn’t have to tell you about a security breach unless it decides it wants to — despite the fact that private companies are required to publicly disclose any incidents. State laws also require many of the 14 state-run insurance exchanges to disclose such information, but no such law exists for the federally run exchange, which 36 states rely upon.
Read the whole thing. So much for healthcare.fail being up to private sector standards.