All your health information belongs to us

Federal law requires that when a private corporation is hacked and customer information is stolen, it must notify the victims of the theft. This is a reasonable requirement that lets people rush out and buy identity theft protection and/or keep a close eye out for funny charges showing up on their bills. 

In the case of the federal healthcare exchange, there is no legal requirement to report such breaches. Individuals on the federal exchange are without such protection though most states do have reporting requirements. The issue came up during regulatory comments and HHS apparently declined to support any sort of mandatory reporting rule. They'll let us know when they feel like it. 

To add salt to the wound, HIPAA privacy protections do cover insurance companies and health providers accessing federal government systems but the federal government itself is not obligated to honor those protections. Fancy that. 

HT: National Review