Blue Button breach to test CMS response to inappropriate data access
In the wake of the data breach at the Centers for Medicare and Medicaid Services, the agency has conducted a review of Blue Button 2.0, an application that Medicare beneficiaries use to access their own personal Medicare claims data.
Nearly 10,000 beneficiaries were affected by the breach as were 30 applications. Sloppy coding and a bug contributed to the breach, as the bug caused beneficiary information to be shared with other beneficiaries. Further, assumptions were made and not validated, and the identity management system was not tested, CMS acknowledges.
The agency reports that no beneficiary Social Security, bank account or credit card numbers were exposed because Blue Button 2.0 does not have access to the information.
“The reality is that this stuff is tricky and I’m not surprised,” says Kate Borten, president at the Marblehead Group data security consultancy in Marblehead, Mass.
“Should the breach had happened? No, but when dealing with large organizations and multiple teams, there are always opportunities for mistakes. There may have been a lack of communication, or specifications may not have been reviewed or shared. It is human error but we’re not perfect,” Borten says.
Too often, various groups may be working in isolated teams and not adequately coordinating with the other groups, and that’s when it is possible to encounter more bugs and loopholes, Borten notes. To develop stronger processes it’s a good idea to include older members in the organization who have a treasure trove of professional knowledge.
For now, CMS is doing the right things to rectify the breach, Borten says. The agency has announced it will be mailing breach notification letters to the 10,000 affected beneficiaries in the coming weeks, but she wonders what comes next.
“Will CMS go further and examine its other information systems and processes? I hope CMS looks everywhere. They got caught on the Blue Button system, but what about other CMS systems? Will those teams conduct a review process to see if they could be affected? This is an opportunity for CMS and other healthcare organizations to ask themselves if this could happen to them.”
CMS has announced that only 30 authorized Blue Button apps were affected and the apps will be able to reconnect to the Blue Button 2.0 application programming interface after the companies that created them provide CMS with written confirmation that they have implemented a plan to address any incorrect data in their app.