Blue Button 2.0 bug may have exposed Medicare beneficiary data

Jessica Kim Cohen  December 18, 2019

The CMS has temporarily shut down access to its Blue Button 2.0 data-sharing tool after discovering a bug that may have exposed some beneficiary information.

The CMS suspended access to the Blue Button 2.0 API, or application programming interface, after a third-party app developer reported a "data anomaly" on Dec. 4. It's unclear when the service, which allows Medicare beneficiaries to share their claims data with third-party apps, will be restored, the agency shared in a blog post this week.

"Access to BB2.0 remains closed while we conduct a full review. Restoration of service is pending resolution of the issue," the CMS wrote.

Earlier this year, the CMS said more than two dozen organizations had launched Blue Button 2.0 apps for Medicare beneficiaries to download, such as programs to help users organize their medication lists.

The bug—a coding error that was added last year—may have inadvertently shared some beneficiaries' protected health information with an incorrect user or to an incorrect Blue Button 2.0 app.

"The technical issue is contained to less than 10,000 Blue Button authorized users and 30 authorized apps," a CMS spokesperson wrote in an emailed statement.

The CMS said it will notify affected beneficiaries and app developers about the issue in the coming weeks.

The CMS linked the privacy issue to Blue Button 2.0's process for identifying beneficiaries.

An identity management system assigns beneficiaries randomly generated user IDs to connect claims data to the correct third-party app. However, the Blue Button 2.0 tool was truncating user IDs to be shorter in length, which made them "not sufficiently random to uniquely identify a single user, " according to the CMS' blog post, leading the same shorted user IDs being assigned to multiple people.

That means any data exposure from the bug was contained to Blue Button 2.0 beneficiaries and developers, and does not involve intrusions by outside entities, according to the CMS.

"This issue only impacts BB2.0, not Plan Finder, Medicare.gov, or any other system," the CMS wrote. "We have not detected any intrusion by unauthorized users and system integrity has not been compromised by any external source."

News of the bug comes as the CMS and HHS' Office of the National Coordinator for Health Information Technology are working to finalize their companion interoperability proposals. The rules would require healthcare providers and insurers to allow patients to request their health data via APIs and third-party apps, raising privacy concerns among some provider groups.

https://www.modernhealthcare.com/information-technology/blue-button-20-bug-may-have-exposed-medicare-beneficiary-data?utm_source=modern-healthcare-hits-wednesday&utm_medium=email&utm_campaign=20191218&utm_content=article4-readmore