After Public Push, CMS Curbs Health Insurance Agents’ Access to Consumer SSNs

A photograph of a laptop. On the screen is the homepage for healthcare.gov.

Until last week, the system that is used to enroll people in federal Affordable Care Act insurance plans inadvertently allowed access by insurance brokers to consumers’ full Social Security numbers, information brokers don’t need.

That raised concerns about the potential for misuse.

The access to policyholders’ personal information was one of the problems cited in a KFF Health News article describing growing complaints about rogue agents enrolling people in ACA coverage, also known as Obamacare, or switching consumers’ plans without their permission in order to garner the commissions. The consumers are often unaware of the changes until they go to use their plan and find their doctors are not in the new plan’s network or their drugs are not covered.

Agent Joshua Brooker told KFF Health News it was relatively easy for agents to access full Social Security numbers through the federal insurance marketplace’s enrollment platforms, warning that “bad eggs now have access to all this private information about an individual.”

On April 1, the morning the article was posted on NPR’s website, Brooker said, he got a call from the Centers for Medicare & Medicaid Services questioning the accuracy of his comments.

A CMS representative told him he was wrong and that the numbers were hidden, Brooker said April 7. “I illustrated that they were not,” he said.

After he showed how the information could be accessed, “the immediate response was a scramble to patch what was acknowledged as ‘problematic,’” Brooker posted to social media late last week.

Brooker has followed the issue closely as chair of a marketplace committee for the National Association of Benefits and Insurance Professionals, a trade group.

After some phone calls with CMS and other technical experts, Brooker said, the federal site and direct enrollment partner platforms now mask the first six digits of the SSNs.

“It was fixed Wednesday evening,” Brooker told KFF Health News. “This is great news for consumers.”

An April 8 written statement from CMS said the agency places the highest priority on protecting consumer privacy.

“Upon learning of this system vulnerability, CMS took immediate action to reach out to the direct enrollment platform where vulnerability was identified to make sure it was addressed,” wrote Jeff Wu, acting director of the Center for Consumer Information & Insurance Oversight at CMS.

He added that the Social Security numbers were not accessible through routine use of the platform but were in a portion of the site called developer tools. “This issue does not impact healthcare.gov,” Wu wrote.

Brooker’s concern about Social Security numbers centered on access by licensed agents to existing policyholder information though the federal marketplace, not including the parts of healthcare.gov used by consumers, who cannot access anything but their own accounts.

While consumers can enroll on their own, many turn to agents for assistance. There are about 70,000 licensed agents nationwide certified to use the healthcare.gov site or its partner enrollment platforms. They must meet certain training and licensing requirements to do so. Brooker has been quick to say it is a minority of agents who are causing the problem.

But agents increasingly are frustrated by what they describe as a sharp increase during the second half of 2023 and into 2024 of unscrupulous rivals switching people from one plan to another, or at least switching the “agent of record” on the accounts, which directs the commission to the new agent. Wu’s statements have so far not included requested information on the number of complaints about unauthorized switching, or the number of agents who have been sanctioned as a result.

The changes shielding the Social Security numbers are helpful, Brooker said, but won’t necessarily slow unauthorized switching of plans. Rogue agents can still switch an enrollee’s plan with simply their name, date of birth, and state of residence, despite rules that require agents to collect written or recorded consent from consumers before making any changes.

Exit mobile version