The federal government and the states should improve how they protect the security of confidential tax information of people getting benefits under the 2010 health care law, federal investigators said Thursday.
Federal and state agencies operating health insurance exchanges — where consumers can shop for private coverage — should be required to get independent assessments of how well they protect tax information the IRS sends them, according to the report. It also said states must do a better job of making sure managers ensure that the systems are secure.
Continue Reading Below
The investigators said they watched IRS officials conduct security reviews of Connecticut's and California's exchanges and found the tax agency's testing to be "generally adequate."
But the report added, "Additional procedures are needed to provide greater assurance" that taxpayer data will be safe before the IRS sends it to the exchanges.
The IRS provides the exchanges with limited data on lower-income people who apply for tax credits to help pay for their health insurance. This includes information on household income, family size and filing status.
In a written statement, the IRS said there have been no breaches of tax data the agency has provided to exchanges.
"The IRS has a long and proven track record of safely and securely transmitting federal tax information through data sharing agreements to nearly 300 federal and state agencies on a regular basis," the agency said.
It added that the report's recommendations "will help make our process even stronger."
The report was by the Treasury Inspector General for Tax Administration, which audits the IRS.
The cybersecurity of personal data related to the health care law has been the subject of previous investigations this year.
Last month, investigators from the federal Department of Health and Human Services gave mixed reviews to the security of HealthCare.gov, the federal government's portal for buying private insurance. The Government Accountability Office, Congress' investigative agency, also said in September that it found more than 20 HealthCare.gov vulnerabilities related to who can enter the system and make changes in it.
HealthCare.gov serves residents of 36 states. The remaining 14 states and the District of Columbia run their own insurance exchanges.