Suspicions that U.S. consumers’ personal information could be accessed from India led regulators to abruptly bar two large private sector enrollment websites from accessing the Affordable Care Act marketplace in August.

New details about the suspensions come in legal filings made late Friday stemming from an effort by the two to regain access to the Obamacare marketplace before the upcoming ACA open enrollment period, which starts Nov. 1.

The Centers for Medicare & Medicaid Services wrote in a Sept. 2 letter to the companies that they were suspended after the agency identified “a serious lapse in the security posture” that could have led to marketplace data, including consumers’ personal information, being accessed from overseas.

The letter, included in the court filings, also noted that regulators will audit the two companies because they have “reasonable suspicion” that they are players in a separate problem: signing people up for Obamacare coverage — or changing their policies — without the consumers’ permission.

Whether those legal issues will be resolved before the upcoming enrollment period is an open question. Currently, the concerns raised about the companies remain allegations, with none of the legal challenges or the audit close to a ruling or conclusion.

Still, the larger issue of fraudulent ACA enrollment by rogue insurance agents seeking commissions will continue to pose a headache for regulators, with more than 200,000 complaints filed by consumers in the first six months of 2024. And it has become a political problem for the Biden administration. GOP lawmakers blamed the schemes partly on Biden-backed expanded Obamacare premium subsidies.

President Joe Biden has claimed record-breaking enrollment under the ACA as one of his administration’s major accomplishments, and regulators are looking to thwart deceptive enrollment schemes without slowing legitimate sign-ups. In recent weeks they’ve removed at least 200 agents’ access to the federal ACA marketplace, and in July began requiring, in many circumstances, that brokers participate in three-way calls with their clients and the healthcare.gov help center before changes can be finalized.

The CMS letter now adds another layer. It is the first time this year the agency has called out a company over questionable enrollments, saying it suspects “the Speridian Companies” might have “directed its employees and other agents to change Marketplace enrollees’ coverage and enroll insured and uninsured consumers without the enrollees’ consent.”

California-based Speridian Global Holdings owns the companies in question, which include enrollment platform Benefitalign and TrueCoverage, doing business as the Inshura enrollment site. It has a data center in India.

The now-suspended Benefitalign site handled at least 1.2 million applications for ACA coverage during the last open enrollment period, according to court documents, which would rank it among the largest of the private enrollment sites allowed to integrate with healthcare.gov, the federal marketplace.

Previously, CMS had said publicly only that it suspended the websites for “anomalous activity.”

The suspended companies deny any wrongdoing related to enrollment schemes. Spokesperson Catherine Riedel declined comment beyond their court filings.

In late August they filed a complaint against CMS over the suspensions in U.S. District Court for the District of Columbia, seeking a restraining order. They added to that complaint on Sept. 6, calling CMS’ suspension action “lawless.”

On Aug. 8, CMS suspended the two websites from accessing healthcare.gov information.

It did so, according to the Sept. 2 letter, over concerns that some consumer information “is processed and/or stored” in India, citing “suspicions” that the data is “being accessed from outside of the United States.”

That’s a problem, the letter says, because marketplace data must stay in the U.S. to “eliminate the possibility that foreign powers might obtain access.” Additionally, websites approved by CMS to integrate with the federal marketplace cannot transmit data outside of the U.S. or allow access from outside the country, under the terms of agreements such companies sign to get CMS approval to operate.

CMS did not spell out what consumer information might have been included, but ACA applications can contain information including a person’s name, date of birth, address, and detailed household income information.

Speridian companies were suspended, then reinstated, from the marketplace in prior years over other concerns, including problems with false Social Security Numbers submitted with some TrueCoverage ACA applications in 2018, and for a 2023 effort by Benefitalign to access the federal marketplace’s “software testing environment” from India, according to the CMS letter.

In seeking a restraining order against CMS, the companies argue that the agency’s action to suspend them now is arbitrary and capricious and violates its own regulations as well as the due process clause of the Constitution.

The filing calls the Sept. 2 CMS letter explaining the reasons for the suspensions “a post hoc justification” that includes a litany of “‘concerns,’ suspicions,’ ‘allegations.’” The filing also asserts “these intimations of violations are made without evidence of any actual violation.”

The court documents say the suspensions will prevent the companies from participating in the upcoming open enrollment period, harming them and “the thousands of brokers” and “millions of consumers who count on brokers” using those websites to sign up for ACA coverage.

The suspension remains in place, the CMS letter says, partly because its concerns have not been allayed by information provided by the companies, but also while the audit is conducted.

CMS has “reasonable suspicion, based on credible evidence it has considered,” that the companies were involved in enrolling consumers or changing their coverage without specific permission, the letter stated, noting that such allegations are included in a civil lawsuit filed by private sector lawyers in U.S. District Court for the Southern District of Florida.

The firms have previously said the allegations in the civil lawsuit are without merit.

Brokers who have used the suspended websites in the past have other options to enroll clients, including several other websites currently approved to integrate with the federal Obamacare marketplace. Consumers can also go directly to the federal or state ACA websites and enroll themselves or get assistance from call centers associated with those marketplaces.

This article was produced by KFF Health News, a national newsroom that produces in-depth journalism about health issues and is one of the core operating programs at KFF — the independent source for health policy research, polling, and journalism.