Tom Dougall, an attorney in Elgin, S.C., received a voicemail on Friday from a stranger in North Carolina saying he can access all of Dougall’s personal information through healthcare.gov.
"I believe somehow the ACA, the Healthcare website has sent me your information, is what it looks like," said Justin Hadley, a North Carolina resident who could access Tom's information on the federal health care exchange website. "I think there's a problem with the wrong information getting to the wrong people."
In a telephone interview with WIS News, Hadley said all he had to do was type in his username and password when Dougall’s information appeared.
"The next page that came up was a page that prompted that I have a marketplace eligibility information to download. And that's when I clicked download and Mr. Dougall's information came up in a PDF document," said Hadley.
Dougall said he thought it was a scam at first.
"Initially I was concerned because I didn't know if this was some guy who was scamming me or if in fact this was a guy who really had my personal information," he said.
Hadley even provided documentation of Dougall’s personal information and screen shots with redacted personal information with the Heritage Foundation.
“We’re told constantly that it’s a secure system and it’s not, obviously,” Dougall said.
In September, Blue Cross Blue Shield of North Carolina notified Hadley that his policy had been cancelled, according to the Heritage. He finally made it past the registration page Thursday after multiple attempts, but was presented with letter about eligibility meant for Dougall and his wife.
"I tried to call healthcare.gov last night and they have no procedure whatsoever to handle security breaches," Dougall said. "All they can do is try to sell you a policy."
He contacted Senators Lindsey Graham (R-S.C.) and Tim Scott (R-S.C.), and Representative Joe Wilson (R-S.C.) after realizing his security had truly been breached. He’s also going to call Department of Health and Human Services directly on Monday.
“They’re so concerned with trying to fix the problems they currently have that they refuse to acknowledge or won’t acknowledge that there’s been a major breach,” he said.
WIS contacted the U.S. Department of Health and Human Services, and an HHS official said a security team was working to fix the issue “in the very near future."
They added consumers may call the toll free number or access the 24/7 chat feature on the website for help.