The Patient Protection and Affordable Care Act of 2010 required the establishment of health insurance marketplaces in each state to allow consumers to compare, select, and purchase health insurance plans. States establishing their own marketplaces are responsible for securing the supporting information systems to protect sensitive personal information they contain. The Centers for Medicare & Medicaid Services (CMS) is responsible for overseeing states' efforts, as well as securing federal systems to which marketplaces connect, including the Federal Data Services Hub.
The GAO was asked to review security issues related to the Federal Data Services Hub, and CMS oversight of state-based marketplaces. Its objectives were to (1) describe security and privacy incidents reported for Healthcare.gov and related systems, (2) assess the effectiveness of security controls for the Federal Data Services Hub, and (3) assess CMS oversight of state-based marketplaces and the security of selected state-based marketplaces. The GAO reviewed incident data, analyzed networks and controls, reviewed policies and procedures, and interviewed CMS and marketplace officials.