Identity verification for enrollment in Healthcare.gov is prone to identity fraud and its administrator has no plan to fix it, a government watchdog said.
A June 14 report from the Government Accountability Office reviewed identity verification processes, otherwise known as “remote identity proofing,” at six federal agencies. The GAO found healthcare.gov at risk for identity fraud during its review of the Centers for Medicare and Medicaid Services.
“CMS has not implemented alternative methods to better ensure the effectiveness of the remote identity proofing processes used for its Healthcare.gov service,” the GAO wrote.
The GAO is concerned about “knowledge-based identification,” the second step in the verification process where users are asked a series of personal questions that, presumably, only the real user would know how to answer. If the user gets the answers right, the user’s identity is considered verified. The first step is asking the user for personal identity information like name, birthday and social security number. That information goes to a consumer reporting agency, such as Equifax, for comparison.
But because of data breaches that included sensitive information at firms like Equifax, where a hack in 2017 exposed personal information of 143 million Americans, the GAO is concerned that current verification processes are now prone to identity fraud.
Despite the risk posed from past breaches, CMS disagreed with GAO recommendations to use alternative verification processes. Furthermore, CMS “has no plans to reduce or eliminate knowledge-based verification for remote identity proofing,” the GAO wrote.
To reduce risk from knowledge-based verification at CMS, Americans registering for health care benefits from healthcare.gov provide basic information and then receive an email confirmation, the GAO wrote. This did not get a stamp of approval from the GAO.
“However, this process confirms only the email address that was used to create the account; it does not confirm the identity of the individual who is applying for the account,” the GAO wrote.
To avoid fraudulent benefits claims, the GAO recommended removing knowledge-based identification from agencies’ processes altogether.
But at CMS, the GAO wrote, officials “acknowledge that they do not have a plan to reduce or eliminate the use of knowledge-based verification because they have not yet identified any effective alternatives to knowledge-based verification for Healthcare.gov.”
The GAO listed numerous alternatives to knowledge-based verification. It suggested agencies use mobile phones to verify credentials, verify possession of the device through the phone carrier or send confirmation codes; however, the GAO acknowledged that confirmation codes aren’t necessarily a secure method. Agencies can also send a personal identification number in the mail to a user’s address or use in-person verification, the GAO recommended.
CMS and its parent agency, the Department of Health and Human Services, did not respond to requests for comment.
In a statement responding to the report, the HHS said the GAO’s recommendations would “create undue burden, create barriers to accessing federal services, or may be cost prohibitive.”
Alternatives involving mobile devices were also not suitable because some populations served by HHS don’t have cellphones, HHS wrote. In-person verification wouldn’t work because of populations living in rural areas, the department added. HHS did not detail how many of its beneficiaries do not have cellphones or live in rural areas.
“In the absence of viable alternatives to knowledge-based verification, HHS will continue to monitor for effective solutions and, if any become available, utilize them as appropriately and feasibly,” HHS wrote.
The Office of Management and Budget did not provide comments on the GAO’s recommendations. The four other agencies — the Commerce Department, the United States Postal Service, the Social Security Administration and the Department of Veterans Affairs — agreed with their respective recommendations in the report.
“Until CMS takes steps to develop a plan with time frames and milestones to eliminate the use of knowledge-based verification, CMS and Healthcare.gov applicants will remain at an increased risk of identity fraud,” the GAO wrote.
Andrew Eversden covered all things defense technology for C4ISRNET. Beforehand, he reported on federal IT and cybersecurity for Federal Times and Fifth Domain, and worked as a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.