A government data warehouse that stores information indefinitely on millions of HealthCare.gov customers is raising privacy concerns at a time when major breaches have become distressingly common. Known as MIDAS, for Multidimensional Insurance Data Analytics System, it's described on a federal website as the "perpetual central repository" for information collected under President Barack Obama's health care law. "Data in MIDAS is maintained indefinitely at this time," says a government privacy assessment dated Jan. 15. The information stored includes names, Social Security numbers, birthdates, addresses, phone numbers, passport numbers, employment status and financial accounts.
The vast scope of the data — and the lack of a clear plan for destroying old records — have raised concerns about privacy and the government's judgment on technology. "A basic privacy principle is that you don't retain data any longer than you have to," said Lee Tien, a senior staff attorney with the Electronic Frontier Foundation. "The more data you keep, the more harm an attacker or unauthorized person can do."
Related: Health Data Breaches: 29 Million U.S. Records Exposed in Four Years
The Obama administration says MIDAS is essential to the smooth operation of the health care law's insurance markets and meets or exceeds federal security and privacy standards. "MIDAS is a critical piece of the marketplace ecosystem," said spokesman Aaron Albright.
Related: Second Cyberattack on U.S. May Have Exposed Security Information
Electronic record-keeping systems are standard for businesses and government agencies. But they are supposed to have limits on how long they store personal data. In the new wired world, every few weeks brings another security breach. Personnel records of millions of federal employees, including background information for security clearances, were compromised in the latest cyberattacks making headlines. Earlier this year, health insurer Anthem reported that information on 80 million customers was hacked. Before HealthCare.gov went live in 2013, Obama administration officials assured lawmakers and the public that an individual's personal information would be used mainly to determine eligibility for coverage, and that the Affordable Care Act would have a limited impact on privacy.
MIDAS has been criticized in opinion articles by former Social Security commissioner Michael Astrue, a Republican who disapproves of Obama administration policies. Independent experts on technology and privacy echoed some of the concerns. "I accept they have an operational reason, if not a legal obligation, to keep data for a reasonable period," said Astrue, commissioner from 2007-2013. But there's no justification for keeping data indefinitely, he added.