>>>Just recently, Anthem (huge in US healthcare) had a massive privacy breach involving tens of millions of patients, attributed to a compromised administrator login. Gone or at least going are the days when contractors, administrators or analysts could dip into sensitive data at will...

At least Anthem sent notifications to members about the breach.

The federal health exchange is under no obligation. When consumer advocates challenged this, HHS responded with, "We do not plan to include specific notification procedures in the final rule. Consistent with this approach, we do not include specific policies for investigation of data breaches in this final rule.”

When you consider that information you provide on the exchanges can be shared with the IRS, DHS, State agencies, consumer reporting agencies (for verification), CMS contractors, and really anyone who can legally access the information as per HHS regulations - the exchanges (as one analyst commented) might as well just hang a "Hack Me" sign on the websites.