The House passed the Health Exchange Security and Transparency Act, H.R. 3811, in a 291-122 vote. Sixty-seven Democrats voted for the bill, ignoring arguments from party leaders that the bill was a "messaging" vote meant to discourage people from signing up for insurance.
The one-sentence bill says that no later than two business days after any security breach on an ObamaCare site is discovered, "the Secretary of Health and Human Services shall provide notice of such breach to each individual." Republicans said that under current law, the government is not required to notify people if their information is put at risk.
"It may shock some people to learn that there is no legal requirement that the Department of Health and Human Services notify an individual if his or her personal information is breached or improperly accessed through the Affordable Care Act's exchanges," said Rep. Joe Pitts (R-Pa.).
The White House said it opposed the bill, arguing the government already has plans to tell people if their information has been compromised.
But that argument didn't sway a large group House Democrats, many of whom fear the problem-plagued rollout of ObamaCare will cost them at the polls in November.
House Oversight and Government Reform Committee Chairman Darrell Issa (R-Calif.) said the new requirement is critical because a senior official at the Centers for Medicare and Medicaid Services (CMS) advised in September that the site should not be launched due to security problems. Teresa Fryer, the Chief Information Security Officer at CMS, testified before Issa's committee late last year.
"The truth is that actual interviews and depositions taken of the highest-ranking people that helped develop this website, both public and private, shows there was no end-to-end testing," Issa said Friday. "It did not meet the spirit of any definition of a secure website."
Democrats rejected those arguments, and said Republicans were not explaining Fryer's complete views on the security of HealthCare.gov.
"All week, Republicans have been trying to make their case for this bill by quoting from a memo drafted by the chief information security officer at CMS about concerns before the website was launched," said Rep. Elijah Cummings (Md.), the top Democrat on Issa's committee. "But they omit one critical fact: this official never sent the memo. It was a draft, and she never gave it to anyone, including her own supervisor."
Democrats said the GOP was trying to stir up fears about HealthCare.gov and the other enrollment sites by raising the idea that people's personal information could be stolen.
"There have been no successful security attacks on HealthCare.gov, and no one has maliciously accessed personal information," said Rep. Frank Pallone (D-N.J.). "This is just another one of those scare tactics, and I just hope that my colleagues, both Democrats and Republicans, are not fooled by this."
House Majority Leader Eric Cantor (R-Va.) fired back at the charge that the bill is for “messaging purposes,” noting that it simply requires officials to tell people when a data breach occurs.
"That's it," Cantor said. "There's no message in there, this is just trying to help people."
The White House, meanwhile, claimed the legislation would create costly new reporting requirements.
"The administration opposes House passage of H.R. 3811 because it would create unrealistic and costly paperwork requirements that do not improve the safety or security of personally-identifiable information in the Health Insurance Marketplaces," the White House said in a policy statement.
"Unlike existing requirements, H.R. 3811 requires expensive and unnecessary notification for the compromise of publicly-available information, even if there is no reasonable risk that information could be used to cause harm."
The White House stopped short of issuing a veto threat against the bill, but Senate Democrats are unlikely to take it up.
— This story was updated at 11:52 a.m.