KPMG LLP
Three Embarcadero Center
San Francisco, CA 94111


Independent Account's Report
The Management and Board of Directors
eHealthInsurance Services, Inc.

We have examined the accompanying assertion of management of eHealthInsurance that:

As of July 30, 2004, eHealthInsurance Services, Inc. has maintained effective internal controls to provide reasonable assurance that health insurance applications accessible from eHealthInsurance's Carrier Extranet (PDF Application) are the same as the applications that are electronically received by eHealthInsurance (health insurance application) as a result of a submission made by the applicant through eHealthInsurance's website (www.ehealthinsurance.com), based on the attached "Criteria Used by Management to Assess the Effectiveness of Internal Control"

Management is responsible for its assertion and for maintaining effective internal control over eHealthInsurance's Electronic Processing Interchange (EPI) process. Our responsibility is to express an opinion on management's assertion based on our examination.

Our examination was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants. Those standards require that we plan and perform our examination to obtain reasonable assurance that management's assertion is not materially misstated. Our examination included (1) obtaining an understanding of eHealthInsurance's internal control over the Electronic Processing Interchange (EPI) process, (2) testing and evaluating the design and operating effectiveness of internal control over eHealthInsurance's Electronic Processing Interchange (EPI) process as of July 30, 2004, and (3) performing such other procedures as we considered necessary in the circumstances. We believe that our examination provides a reasonable basis for our opinion.

Because of inherent limitations in any internal control, security breaches, errors or fraud may occur and not be detected. Also, projections of any evaluation of internal control to future periods are subject to the risk that internal control may become inadequate because of changes in conditions, or that the degree of compliance with policies or procedures may deteriorate.

In our opinion, management's assertion referred to above is fairly stated, in all material respects, based on criteria as set forth in the attached "eHealthInsurance Criteria Used by Management to Assess the Effectiveness of Internal Control."
San Francisco, California
July 30, 2004
eHealthInsurance.com

Appendix A

Management's Assertion

The management of eHealthInsurance Services, Inc. ("eHealthInsurance") makes the following assertions regarding the effectiveness of Internal Controls and Criteria Used by Management to Assess the Effectiveness of Internal Controls

eHealthInsurance has maintained effective internal controls to provide reasonable assurance that health insurance applications accessible from eHealthInsurance's Carrier Extranet (PDF Application) are the same as the applications that are electronically received by eHealthInsurance (health insurance application) as a result of a submission made by the applicant through eHealthInsurance's website (www.ehealthinsurance.com), based on the following criteria:

Criteria Used by Management to Assess the Effectiveness of Internal Controls pertaining to Assertion 1

Controls provide reasonable assurance that PDF Applications accessible from eHealthInsurance's Carrier Extranet are the same as the health insurance applications that are electronically received by eHealthInsurance as a result of a submission made by the applicant through eHealthInsurance's website:

  1. Completed health insurance applications received by eHealthInsurance are stored in a secure file system protected by logical and physical access controls. Additionally, such applications cannot be altered or changed by the applicant, the carrier or any third party.

    A. (For Carriers that allow Electronic Processing Interchange (EPI) and non-EPI applications)

      After the applicant completes all required fields of the application and indicates his or her intent to submit the application to eHealthInsurance (e.g., by clicking on a "Submit Application" button), the unsigned application is stored as a PDF Application in a secure PDF Archive File System ("Unsigned PDF Application").
      The Unsigned PDF Application stored in eHealthInsurance's secure PDF Archive File System cannot be altered or changed by the applicant, the carrier or any third party.
      The applicant is given the opportunity to view and/or print the Unsigned PDF Application prior to electronically signing such application.
      After the applicant indicates his or her intent to electronically sign the application (e.g., by filling out certain required fields and clicking on an "I agree" button), the signed application is stored as a PDF Application in a secure PDF Archive File System ("e-Signed PDF Application").
      The applicant data contained in the e-Signed PDF Application is the same as the applicant data contained in the Unsigned PDF Application, except that the e-Signed PDF Application may contain certain additional billing details and the printed signature of the applicant.
    B. (For Carriers who only accept EPI applications)
      The applicant is given the opportunity to view and/or print the application data entered prior to initiating the electronic signing of the application.
      After the applicant indicates his or her intent to electronically sign the application (e.g., by filling out certain required fields and clicking on an "I agree" button), the signed application is stored as a PDF Application in a secure PDF Archive File System ("e-Signed PDF Application").
      The applicant data contained in the e-Signed PDF Application is the same as the application data submitted, except that the e-Signed PDF Application may contain certain additional billing details and the printed signature of the applicant.

  2. The e-Signed PDF Application stored in eHealthInsurance's secure PDF Archive File System cannot be altered or changed by the applicant, the carrier or any third party.

  3. Logical access to the Secure PDF Archive File System is provided to carriers, applicants, and other specified third parties, on a read-only basis.

  4. Full logical access to the Secure PDF Archive File System is provided to a limited number of authorized eHealthInsurance employees specifically approved by management.

  5. Physical access to the Secure PDF Archive File System is provided to a limited number of authorized eHealthInsurance employees specifically approved by management.

  6. The applicant can only access the PDF Application via the eHealthInsurance website through a secure connection, using an SSL encrypted connection (128-bit enabled, minimum 40-bit required). To access the PDF Application, the applicant must correctly enter the applicant's self-created unique identifier and password into the eHealthInsurance website.
  7. The carrier can only access the approved PDF Applications through a SSL encrypted connection (128-bit enabled, minimum 40-bit required) via the Carrier Extranet. To access the PDF Application, the carrier must correctly enter the carrier's unique identifier and self-created password into the Carrier Extranet.

  8. The design, acquisition, implementation, configuration, modification and management of infrastructure and software related to system security of the eHealthInsurance website and databases are consistent with defined security policies to enable authorized access and to prevent unauthorized access.

  9. Procedures exist to provide that only authorized, tested and documented changes are made to the software and hardware infrastructure.
July 30, 2004
  Gary Lauer
Chief Executive Officer
        Bruce Telkamp
Vice President, General Counsel, and Corporate Secretary
Back to top