OPM Database Storing 4 Billion Employee Health Records Needs Security Upgrades

About an hour and a half into a combative House hearing on the massive breach of federal personnel and security-clearance files, lawmakers got around to asking officials at the Office of Personnel Management whether the agency also collects federal workers' health data. "No," OPM Director Katherine Archuleta said. The agency only collects information about employees’ selection of insurance providers, she said. But the Office of Personnel Management is preparing to go live with a database of health claims to aid agency planners in conducting cost analyses that will contain just that type of detailed health information on federal workers.

Meanwhile, the OPM Office of the Inspector General, which operates under separate statutory authority from the agency writ large, does, in fact, maintain a massive database of employees’ health information. The OIG’s “data warehouse” of federal employees’ health and prescription drug claims is used by auditors to detect fraud in the Federal Employees Health Benefits Program. It contains 4 billion records, and is a treasure trove of sensitive data, including personally identifiable information and protected health information, such as diagnoses and conditions. And the system needs security upgrades, according to a little-noticed OPM budget document from earlier in 2015. To be clear, officials say employee health information was not compromised in the two recent OPM hacks. The OIG’s database is maintained at OPM headquarters -- not the Interior Department shared data center, where hacked personnel files were stored -- and employs different security measures. But the recent breaches, called the worst exposure of government data in history, have led to scrutiny of other data assets maintained by the agency.