WASHINGTON — A government data warehouse that stores personal information on millions of HealthCare.gov customers is raising privacy concerns at a time when major breaches have become distressingly common.
A government privacy assessment dated Jan. 15 says data “is maintained indefinitely at this time,” but the administration said Monday no final time frame has been decided, and the National Archives has recommended a 10-year retention period.
Known as MIDAS, the system is described on a federal website as the “perpetual central repository” for information collected under President Obama's health care law.
The information includes Social Security numbers, birthdates, addresses, phone numbers, passport numbers, employment status and financial accounts.
The vast scope of the information — and the lack of a final plan for destroying old records nearly four years since the system was commissioned — have raised concerns about privacy and the government's judgment on technology.
“A basic privacy principle is that you don't retain data any longer than you have to,” said Lee Tien, a senior staff attorney with the Electronic Frontier Foundation.
The Obama administration says MIDAS is essential to the smooth operation of the health care law's insurance markets and meets or exceeds federal security and privacy standards. “MIDAS is a critical piece of the marketplace ecosystem,” said spokesman Aaron Albright.
But Sen. Orrin Hatch, R-Utah, called the administration's approach “careless.”
“Despite (a) poor track record on protecting the private information of Americans, they continue to use systems without adequately assessing these critical components,” said Hatch, an opponent of the health care law.
Before HealthCare.gov went live in 2013, administration officials assured lawmakers and the public that personal information would be used mainly to determine eligibility for coverage and that the Affordable Care Act would have a limited impact on privacy.
MIDAS has been criticized in opinion articles by former Social Security commissioner Michael Astrue, a Republican who disapproves of Obama administration policies. Independent experts on technology and privacy echoed some of the concerns.
“I accept they have an operational reason, if not a legal obligation, to keep data for a reasonable period,” said Astrue, commissioner from 2007-2013. But there's no justification for keeping data indefinitely, he added. “I don't think they should be allowed to do it.”
