[BreachExchange] Blue Button breach stems from coding issue, data of 10K affected
destry at riskbasedsecurity.com
Tue Dec 24 10:12:57 EST 2019
A data breach at the Centers for Medicare and Medicaid Services has
affected the protected health information of about 10,000 Medicare
beneficiaries and 30 applications.
Early analysis suggests that the leak of information was a result of a
series of missed opportunities by CMS and a third-party application
For example, the code that caused the bug that created the breach was
put in place on Jan. 11, 2018, and there were no follow-up checks for
11 months. “Based on check-in notes around the change, it appears that
a comprehensive review was not completed,” CMS acknowledges. “A more
comprehensive review may have identified this coding error.”
Medicare offers Blue Button, a service that enables beneficiaries to
access their own claims data via an application. However, Blue Button
has been getting an upgrade, and the code in question likely was
installed as a result of this.
Beneficiaries use Blue Button to access their own personal Medicare
claims data. The bug caused certain beneficiary-protected health
information to be inadvertently shared with another beneficiary or the
wrong Blue Button application.
CMS uses synthetic data to test Blue Button to verify functionality
without risking beneficiary personal health information. But in an
attempt to protect beneficiary PHI, integration with other systems,
such as the identity management system, was not tested. Experts
believe that using early reviews of test scenarios would have found
the gaps in security.
Other experts contend that cross-team collaboration was not optimal.
The code that generates the user ID token was run by a separate
identity management team. Assumptions were made by the Blue Button
team about how the token works, and those assumptions were not
“Better collaboration across enterprise teams could have ensured that
necessary information was present in decision making,” according to
The incident does not affect other CMS beneficiary systems, such as
PlanFinder and Medicare.gov. The breach was contained to Blue Button
2.0 API authorized users and developers, and not Medicare
beneficiaries more broadly or outside entities.
Now, CMS is implementing new processes for documenting code changes
and will implement a new approach to audit tracking.
“This wasn’t a hacking; this was an individual coding error,” says
Linn Freedman, a cybersecurity specialist at Brown University and a
partner at the Robinson+Cole law firm in Providence, R.I.
“CMS should not be held to a different standard than any other
entity,” Freedman adds. “This is an incident that is unfortunate, but
CMS holds the Medicare health information of everyone over age 65 and
Medicaid beneficiaries. They fixed the bug, but it’s unclear if
unauthorized content was disclosed.”
Brian Murphy, a healthcare industry analyst at the Chilmark data
security research firm, says monitoring security status is a standard
remedy, but the level of monitoring varies. “Many organizations think
they follow standard information security protocols, but the lesson is
that there is no amount of perfect preparations and there are always
circumstances—to expect perfection is beyond us. CMS needs to redouble
efforts and see if other changes need to be made because every breach
is an opportunity to learn.”
Murphy says he hopes the agency will set an example and disclose more
information on the breach—beyond that which most organizations
disclose. But he adds that he would not be shocked if CMS hasn’t been
breached before, whether the agency knew it or not.
CMS has admitted that the breach could have been detected if agency
personal and the third-party application partner had conducted a
comprehensive view of the entire system, which was not done.
CMS has not communicated whether it will offer credit-monitoring
services and other protective services to affected individuals.
“After the agency completes an in-depth analysis of the impact to
affected beneficiaries, CMS will determine necessary additional
protections to offer affected beneficiaries (e.g., credit monitoring
and a special enrollment period,” the agency noted. CMS did not
respond to a request for more clarification on protective services.
More information about the BreachExchange