Georgia is paying hackers to break into its Medicaid portal
Add Axios as your preferred source to
see more of our stories on Google.
Illustration: Aïda Amer/Axios
This story was jointly reported by Axios and the AJC, which are both owned by Cox Enterprises.
Georgia has been paying hackers to try to break into its Gateway portal, the state platform that manages benefits like Medicaid and food stamps for citizens.
- They've found and are in the process of fixing dozens of vulnerabilities.
Why it matters: The stakes are high when it comes to data protection of benefit management systems, said Chris Apsey, assistant deputy commissioner for strategic technology innovation, who spearheaded the project. The private health information of millions of Georgians guarded within Gateway can cause major damage if released.
- Health data leaks "can impact your employability, your health care premium. Legal or not, it's just not a situation that we want to put any of our constituents in," he said.
- Compared to the private sector, he said, "It's just a very different beast in terms of the level of attention and overall security that the system requires."
Driving the news: The state says this is the first-ever "bug bounty" program for a benefits management web portal in the country — and the first for a Georgia agency.
- Through a partnership with cybersecurity company HackerOne, in the last month, the Department of Human Services has paid out $200,000 to hackers who have found about 30 cybersecurity vulnerabilities, which they're sealing.
Threat level: Among the vulnerabilities detected, he said, hackers have been able to break into 100 DFCS employees' computers, as well as access every benefit recipient's records.
Be smart: Apsey made clear there's no evidence Gateway has been hacked by bad actors. "Of course, it's always possible, which is why we're doing this program to make sure that we are one step ahead," he said.
- The program comes after many Georgians reported instances of fraud or hacking following the rollout of the state's $350 cash assistance payments.
- These individual incidents, he said, are likely tied to information leaked in other data breaches and then used against recipients.
Go deeper: The implications of identifying these loopholes could go far beyond Georgia. Apsey said the state has shared any problems with the federal government and the vendor who built Gateway, Deloitte, to get things patched.
- Deloitte handles benefits portals in other states too, he said, and where appropriate those repairs are translated.
- "It's not like we're in a vacuum leaving other states hanging out to dry," he said.
Of note: Karen Walsh, a spokesperson for Deloitte, said that she could not comment on particular systems, but said the company, "the nation's leading provider of health and human service consulting," is always working to improve its security measures.
- “We work collaboratively with the State of Georgia and other clients to constantly enhance the security of our systems, respond to ever-changing cyber threats, and fortify system protections as issues are identified," she said.
Between the lines: "Bug bounties" are a best practice cybersecurity protocol but aren't as common in government. Apsey said that's because governments tend to be risk averse and instead focus on things like an incident response.
- However, when Georgia pitched the idea to the federal Centers for Medicare & Medicaid Services, the federal agency agreed to front 90% of the nearly $400,000 price tag.
- It's been a great opportunity "to crowdsource what's a really valuable position that state governments oftentimes can't afford," Apsey said.
What's next: DHS plans to add $300,000 more to the pot to continue the program.