On Friday, the House passed the Health Exchange Security and Transparency Act, a one-sentence bill that, in the event of any security breach of HealthCare.gov, would require the government to notify affected individuals within two days.
But the real purpose of the bill seems to be to keep negative attention on HealthCare.gov, not to keep users' information secure.
The ranking Democrats on the House Committee on Oversight and Government Reform noted in a memo that "there have been no successful security attacks to date on HealthCare.gov,""HealthCare.gov does not collect or store detailed personal health information," and there are already protocols in place "for informing affected citizens as rapidly as possible in the event of a security breach."
The fact that there have not been any security attacks to date on HealthCare.gov does not mean such attacks are inconceivable, of course. Most data storage systems are not immune to security breaches. But the latest bill, which House Speaker John Boehner (R-Ohio) called in a video on his website"part of a broader effort to protect the American people from the consequences of this disastrous law," does not address site security directly and won't make the data that HealthCare.gov does store any safer.
The Department of Health and Human Services already has a policy in place that requires that people be notified in a timely manner if their "personally identifiable information" has been compromised. After all, the government handles sensitive personal information all the time and has protocols to manage it.
A law that calls out HealthCare.gov in particular, meanwhile, is simply a scare tactic — and the two-day requirement is impractical and unhelpful.
"[Security] breaches take time to investigate, and if notification is required within two days, consumers potentially affected are not likely to receive much useful information about the breach," consumer advocate Deven McGraw, director of the health privacy project at the Center for Democracy & Technology told GovInfoSecurity.
The White House's official response to the bill also noted that such stringent reporting standards would require notification even if the compromised data contained only benign, publicly available information — presumably things like names and addresses. Such a speedy notification policy, the response added, could "seriously impede the law enforcement investigation of a breach." (Investigators may need time to gather evidence, for example, before letting hackers know they are looking for them.)
But ganging up on the beleaguered HealthCare.gov — even as enrollment is surging— is a popular move, and the 291 to 122 vote to pass the one-sentence Health Exchange Security and Transparency Act included 67 Democrats.
Why? "Democrats in tight reelection contests will likely continue voting with Republicans on such proposals, not only in an attempt to blunt attempts to tie the lawmaker to Obama and the law, but also to demonstrate a willingness to address concerns in a bipartisan fashion," Democratic aides told The Washington Post.
Yet the tone of the Republicans vocally supporting the bill was anything but problem-solving and bipartisan.
"What does the Obama administration have against protecting the privacy of American families' personal information?"asked Representative Steve Scalise (R-Louisiana). That kind of inflammatory language, implying that the bill is a practical safeguard and not a political maneuver, is misguided and wrong.
Should security be a concern? Absolutely. But this bill is not — and does not attempt to be — a reasonable solution.
While the House succeeded in generating more negative attention for HealthCare.gov, the bill probably won't go anywhere. "The White House stopped short of issuing a veto threat," Pete Kasperowicz noted at The Hill, "but Senate Democrats are unlikely to take it up."