1. United States
2. Ky.
3. Letter

I am writing to express concern regarding reports that the Office of Personnel Management (OPM) has required numerous insurers and related entities to submit recurring reports containing sensitive health-related data. While efforts to improve oversight and cost management are important, the scale and frequency of this data collection raise serious questions about privacy, necessity, and safeguards. These concerns are underscored by the 2015 OPM data breach, which exposed highly sensitive personal information of more than 20 million individuals. That incident remains one of the most significant federal data security failures in history and demonstrates the risks associated with centralizing large volumes of personal data. Expanding the collection of health-related information—arguably among the most sensitive categories of data—heightens the potential consequences of any future breach. In addition, the routine aggregation of detailed health information raises important questions about alignment with HIPAA standards and long-standing expectations around medical privacy. Even if certain data-sharing practices are technically permissible, the lack of clear public transparency around how this information is collected, used, and protected risks undermining trust in federal health programs. I respectfully ask for clarification on the legal authority, scope, and safeguards associated with this reporting requirement. What protections are in place to ensure compliance with federal privacy standards? How is this data being used, and what limitations exist to prevent misuse or overreach? Protecting personal health information should remain a foundational principle in any federal initiative. I urge you to review this matter carefully and take appropriate steps to ensure that privacy, security, and public trust are fully preserved.