Data Governance
,
Data Privacy
,
Data Security
Experts Cast Nervous Eye on Musk and Team’s Handling of Health-Related Info
Privacy experts are keeping a nervous eye on the potential for compromises involving Americans’ personal and health information resulting from the Trump administration’s so-called Department of Government Efficiency – led by billionaire Elon Musk – accessing government IT systems containing Medicare beneficiary and health related information.
See Also: Enterprise Browser Supporting Healthcare, Cyber Resilience
On Wednesday, the Centers for Medicare and Medicaid Services – the biggest unit of the U.S. Department of Health and Human Services – confirmed in a public statement that it is “collaborating” with DOGE as Musk and his team purportedly examine how to make the federal government more efficient.
Earlier on Wednesday, the Wall Street Journal reported that DOGE associates had been onsite at CMS offices this week “searching” for potential fraud in the agency’s Medicare payment systems. CMS’ fiscal year 2024 financial report said the agency – which oversees Medicare and Medicaid benefits – paid out about $1.5 trillion in payments during the year.
“CMS has two senior agency veterans – one focused on policy and one focused on operations – who are leading the collaboration with DOGE, including ensuring appropriate access to CMS systems and technology,” CMS said in its statement about the situation.
“We are taking a thoughtful approach to see where there may be opportunities for more effective and efficient use of resources in line with meeting the goals of President Trump.”
The White House’s DOGE – which despite its name is not an official governmental department – also last week gained access to sensitive Department of Treasury data, including Social Security payment systems, also raising serious concerns (see: White House Defends Musk Amid Sensitive Data Access Uproar).
Breach Concerns
But some privacy and regulatory experts say DOGE accessing CMS’ IT systems – containing gigantic troves of various Medicare and Medicaid data – steers into murky waters for potential breaches – accidental as well as malicious – involving HIPAA-protected health information and other sensitive personal health related information.
In general, CMS files contain identifiable and non-identifiable information on patients – depending on the program, said regulatory attorney Sharon Klein of the law firm BlankRome.
“CMS has identifiable claim information on individuals which contain PHI relevant to the care for which the patient seeks reimbursement,” she said. “It also manages research and has healthcare information without specific identifiers to a unique patient, or limited data sets,” she said. Additionally, CMS has public use files that are fully anonymized and not identifiable to the individual, she said.
“CMS policy and HIPAA require that the privacy of identified and identifiable protected health information be held securely and [users] only review the minimum amount of data necessary for the task,” she said.
Any unauthorized access to PHI, if prohibited by HIPAA, is a potential violation, even if “read only” data is accessed. That “does not insulate from HIPAA,” she said.
DOGE’s stated intent to uncover fraud does not offset the potential for breaches and other compromises involving the data being accessed, other experts said.
“I think that DOGE is seeking to find fraud and abuse, and there likely is a lot of opportunity to do so in the federal health insurance programs,” said one longtime regulatory expert who asked not to be named.
But the mad dash by DOGE to access these systems is unsettling, the expert said. “I do not see the administration crossing every ‘t’ and dotting every ‘i’ to ensure that they do so in a legally compliant manner. Will their review encompass patient information in the long run, if not already? Probably,” the expert said.
“I imagine that Elon has dreams of using advanced AI to identify potential fraud, seeking to identify providers who may be upcoding or submitting false claims. Probably similar to past HHS Office of the Inspector General efforts, but on steroids, without any guardrails, and with a lot less concern over the process rights of the providers,” the expert said.
“Do I think that Elon Musk is going to use this opportunity to collect protected health information on every Medicare and Medicaid beneficiary for his own financial gain? No. Do I think that rushed access to systems with protected health information could lead to an increased risk of a breach? Yes.”
“But ultimately, I think the risk of a massive breach from a foreign state is probably far larger than the risk of a breach due to a rushed granted of access to DOGE,” the expert said.
Meanwhile, other experts pointed out there is much uncertainty about exactly the types of CMS and other potential HHS agency data being accessed and how it will be used.
“It is so hard to have any confidence in any information that is coming out about these developments,” said privacy attorney Kirk Nahra of the law firm WilmerHale.
“Obviously, as with any agency, there will be some kind of procurement database that includes vendor agreements,” he said. “It is certainly possible that access has been limited to this kind of data, which should not include patient information. I would also not expect that to include participation agreements for Medicare which are not ‘typical’ government contracts,” he said.
“Healthcare fraud has always been a problem in healthcare,” Nahra said. Still, he said, “it is very hard to be comfortable with these blanket statements about fraud, which do not appear to be driven by any actual information at this point.”