Justin Hadley logged on to HealthCare.gov to evaluate his insurance options after his health plan was canceled. What he discovered was an apparent security flaw that disclosed eligibility letters addressed to individuals from another state.

“I was in complete shock,” said Hadley, who contacted Heritage after becoming alarmed at the breach of privacy.

Hadley, a North Carolina father, buys his insurance on the individual market. His insurance company, Blue Cross Blue Shield of North Carolina, directed him to HealthCare.gov in a cancellation letter he received in September.

After multiple attempts to access the problem-plagued website, Hadley finally made it past the registration page Thursday. That’s when he was greeted with a downloadable letter about eligibility — for two people in South Carolina. (Screenshot below.)

Capture 1

The letter, dated October 8, acknowledges receipt of an application to the Health Insurance Marketplace and the eligibility of family members to purchase health coverage. The letter was addressed to Thomas Dougall, a lawyer from Elgin, SC.

Hadley shared a screenshot and copy of the letter with redacted personal information.

Capture 2

Hadley wrote to Heritage on Thursday night and also contacted the U.S. Department of Health and Human Services, which administers HealthCare.gov, as well as elected officials in his state. He has yet to hear back from HHS, even though HealthCare.gov still displays the personal information of the South Carolina residents on his account.

Hadley reached out to Dougall on Friday to notify him of the breach. Dougall, who spoke to Heritage this evening, said he was evaluating health care options in early October. Dougall said he was able to register on HealthCare.gov, but decided not to sign up for insurance.

“The plans they offered were grossly expensive and didn’t provide the level of care I have now,” he said.

Dougall said he never saw the October 8 letter until Hadley sent it to him Friday.

After learning of the privacy breach, Dougall spent Friday evening trying to contact representatives from HealthCare.gov to no avail; he spent an hour waiting on the telephone and an online chat session was unhelpful. He also wrote to Senators Lindsey Graham (R-SC) and Tim Scott (R-SC), along with Representative Joe Wilson (R-SC).

“I want my personal information off of that website,” Dougall said.

Security Risk

Last week, the Associated Press disclosed a government memo revealing the “high” security risk for HealthCare.gov. Those concerns surfaced at Wednesday’s hearing with HHS Secretary Kathleen Sebelius, who claimed the system was secure.

HHS spokeswoman Joanne Peters told the AP, “When consumers fill out their online … applications, they can trust that the information they’re providing is protected by stringent security standards and that the technology underlying the application process has been tested and is secure.”

However, that didn’t stop members of Congress from voicing alarm.

“You accepted a risk on behalf of every user … that put their personal financial information at risk,” Representative Mike Rogers (R-MI) told Sebelius. “Amazon would never do this. ProFlowers would never do this. Kayak would never do this. This is completely an unacceptable level of security.”

Heritage cyber-security expert Steven Bucci, director of the Douglas and Sarah Allison Center for Foreign Policy Studies, said users of HealthCare.gov are leaving their personal information unsecured.

“Once it goes out over the system, it is vulnerable,” Bucci said. “There appears to have been a singular lack of concern for security. The site needs to receive and transmit sensitive personal information, yet it has less than state of the art security.”

Bucci said if a doctor’s receptionist speaks too loudly about personal information so that others could hear it, that’s a violation of the law.

“Functionality and security have to be the hallmark of programs like this one,” Bucci said. “The site has failed on both counts and has further weakened the confidence of the American people.”

Unanswered Questions

Hadley’s experience has left him unsure about what to do next. He said he was frustrated by the difficulty contacting the Department of Health and Human Services and lack of response from his elected representatives.

Dougall said grateful that Hadley made the call to him Friday, but voiced similar frustration with HHS. But while Dougall will continue with his current health plan, Hadley isn’t so fortunate.

Blue Cross Blue Shield of North Carolina informed Hadley that his current plan is no longer available and offered to auto-enroll him in a new health insurance plan. But that option would increase his monthly premiums by 92 percent and double his deductible. Hadley said he doesn’t qualify for any subsidies and won’t continue the process on HealthCare.gov because of the privacy breach.

“If I have their information, then who else has my information now?” Hadley worried.

After examining the letter Hadley downloaded, Heritage health policy analyst Chris Jacobs noted the irony of HHS’ promise: “The Health Insurance Marketplace protects the privacy and security of personally identifiable information.”

“Justin’s story demonstrates how Obamacare’s flaws go well beyond a bungled website,” Jacobs said. “From canceled coverage to skyrocketing premiums to the federal government’s failing to protect Americans’ personal data, the damage Obamacare has inflicted is becoming more and more clear each day.”

UPDATE: The screenshot above shows links to two downloadable letters, although Hadley says they are identical. Both are addressed to Dougall.