The Trump administration has called off the search for a contractor to oversee a system that stores the personal data of Healthcare.gov and state marketplace users.
The system known as MIDAS houses names, social security numbers, birth dates, addresses, phone numbers, passport numbers, employment status and financial account information of customers. It's been criticized as not properly protecting the data.
IDL solutions, a subsidiary of CACI International Inc, an IT vendor, has held the contract for MIDAS since 2011 and has been paid $127 million to date, according to federal data.
The CMS began the rebidding process for the $100 million contract in January.
The agency has now postponed the search until October 2017 and hopes to award a new contract by March 2018. The federal agency said it didn't think it could find a new vendor in time for the next open enrollment period starting Nov. 1.
"There would be a steep learning curve for the new contractor," the CMS said in a contracting notice. "A contract transition would less risky outside the open enrollment window."
Congress and federal audits have determined MIDAS is vulnerable to cyber-attacks.
But many of the problems had more to do with a lack of oversight from the CMS than the system being inherently flawed, said Aaron Miri, CIO and vice president of government relations at Imprivata, healthcare IT security company.
"Any application or system is as secure as the owner of the data," Miri said. "You don't, and can't, blame technology when the responsible person is the administrator of the system."
Kevin Counihan, who was CEO of HealthCare.gov under President Barack Obama said the system was much improved by the time he left in January.
"There was much testing and oversight to make sure our enrollees' information was protected, and we were confident in the integrity of this protection," Counihan said.
Morgan Wright, a cyber-security consultant who has testified before Congress twice over his concerns about the protection of personal data on Healthcare.gov said he was concerned the search delay could mean new vulnerabilities to the system have been discovered.
Michael Astrue, former general counsel of the HHS under George HW Bush, and longtime critic of the federal marketplace privacy standards praised the Trump administration for pausing its search and said he hopes it's a first step to limit the data collected and retained on MIDAS.
MIDAS permanently retains personal data of not only those that gained coverage on the marketplaces but those that went to the sites but didn't finish the application process.
MIDAS should "retain only what is necessary to get people insured and to monitor hacking, and most of those data should be destroyed in less than a year," Asture said.