A government data warehouse that stores personal information on millions of HealthCare.gov customers is raising privacy concerns at a time when major breaches have become distressingly common.
A government privacy assessment dated Jan. 15 says data "is maintained indefinitely at this time," but the administration said Monday no final time frame has been decided, and the National Archives has recommended a 10-year retention period.
Known as MIDAS, the system is described on a federal website as the "perpetual central repository" for information collected under President Barack Obama's health care law.
The information stored includes names, Social Security numbers, birthdates, addresses, phone numbers, passport numbers, employment status and financial accounts.
The vast scope of the information—and the lack of a final plan for destroying old records nearly four years after the system was commissioned—have raised concerns about privacy and the government's judgment on technology.
"A basic privacy principle is that you don't retain data any longer than you have to," said Lee Tien, a senior staff attorney with the Electronic Frontier Foundation.
"Even 10 years feels long to me," Tien said.
The Obama administration says MIDAS is essential to the smooth operation of the health care law's insurance markets and meets or exceeds federal security and privacy standards. "MIDAS is a critical piece of the marketplace ecosystem," said spokesman Aaron Albright.
But Sen. Orrin Hatch, R-Utah, called the administration's approach "careless."
"Despite (a) poor track record on protecting the private information of Americans, they continue to use systems without adequately assessing these critical components," said Hatch, an opponent of the health care law.
Electronic record-keeping systems are standard for businesses and government agencies. They are supposed to have limits on how long they store personal data.
In the new wired world, every few weeks brings another security breach. Personnel records of millions of federal employees, including background information for security clearances, were compromised in the latest attacks making headlines. Earlier this year, health insurer Anthem reported that information on 80 million customers was hacked.
Before HealthCare.gov went live in 2013, Obama administration officials assured lawmakers and the public that an individual's personal information would be used mainly to determine eligibility for coverage, and that the Affordable Care Act would have a limited impact on privacy.
Marilyn Tavenner, the Medicare administrator at the time, told a congressional hearing: "We especially focused on storing the minimum amount of personal data possible," she added.
MIDAS has been criticized in opinion articles by former Social Security commissioner Michael Astrue, a Republican who disapproves of Obama administration policies. Independent experts on technology and privacy echoed some of the concerns.
"I accept they have an operational reason, if not a legal obligation, to keep data for a reasonable period," said Astrue, commissioner from 2007-2013. But there's no justification for keeping data indefinitely, he added. "I don't think they should be allowed to do it."
Michelle De Mooy, deputy director for consumer privacy at the Center for Democracy & Technology, said consumers have no way of knowing that their data is being routed to MIDAS. It's not mentioned on the HealthCare.gov website.
"When people go to government services sites, they don't have a choice," De Mooy said. "That means the privacy and security bar should be very high."
MIDAS stands for Multidimensional Insurance Data Analytics System. It's owned by the federal Centers for Medicare and Medicaid Services and operated by a major government technology contractor, CACI. The administration says the contract is currently worth more than $110 million from 2011-2017. That's an increase of more than 85 percent from $59 million when it was awarded.
Some details about MIDAS, gleaned from interviews and publicly available documents:
—The administration launched MIDAS without a complete privacy assessment.
The nonpartisan Government Accountability Office said in a report last year that the system went live without a thorough examination of privacy risks. Without such an analysis "it will be difficult for (the administration) to demonstrate that it has assessed the potential for (personal information) to be displayed to users ... and taken steps to ensure that the privacy of that data is protected," the GAO said.
The privacy assessment was not completed until mid-January, well into the health law's second sign-up season.
—The privacy analysis is vague on key details.
In a section that asks how many individuals have personal data in the system, the administration's privacy assessment says "1 million or more."
It's probably a lot more. In addition to the 10 million currently enrolled, MIDAS also keeps information on former customers, on consumers who started applications but never finished them and on people determined eligible for Medicaid.
The administration says "1 million or more" is a standard category—but won't specify the number.
—MIDAS has had multiple, evolving missions.
Government reports describe MIDAS as a resource for producing analytical reports. But it also seems to have evolved into a linchpin for data transactions with health insurance companies and state Medicaid agencies.
MIDAS gathers information from many other systems that serve the health care law's insurance markets.
The MIDAS privacy assessment says policies about personal data have changed over time to allow additional uses and disclosures. The scope of data collected also has been widened.
Explore further: US won't reveal records on health website security