Keep up with the news by installing RT’s extension for . Never miss a story with this clean and simple app that delivers the latest headlines to you.

 

Healthcare.gov doesn’t protect personal information of Obamacare applicants

Published time: October 30, 2013 18:09
A woman looks at the HealthCare.gov insurance exchange internet site October 1, 2013 in Washington, DC. (AFP Photo / Karen Bleier)

A woman looks at the HealthCare.gov insurance exchange internet site October 1, 2013 in Washington, DC. (AFP Photo / Karen Bleier)

As members of Congress grilled the secretary of the United States Health and Human Services department Wednesday morning in Washington, the agency’s Healthcare.gov site was being blamed for more issues than ever.

HHS Secretary Kathleen Sebelius had a rough morning on Wednesday answering to lawmakers during a Capitol Hill hearing, and her agency’s ongoing blunder — the Healthcare.gov site — even went offline again momentarily during the meeting.

But while serious glitches and significant downtime have dominated articles about the online marketplace for so-called Obamacare as of late, privacy problems abound as well. Security expert Ben Simo has discovered a number of problematic vulnerabilities with the website for President Barack Obama’s Affordable Care Act in recent days, and the issues could have compromised the personal information of potentially millions of Americans.

“There are so many obvious security flaws that I doubt they took security seriously,” Simo, the former president of the Association for Software Testing, wrote on his blog this Tuesday.

Last week, Simo suggested that even an unskilled attacker could access usernames, password reset codes, email addresses and security questions pertaining to the accounts of anyone who signed up for the president’s health insurance plan since the website went live on October 1. Should a hacker guess someone’s username, he said, they could then use that information to social engineer oneself into another’s account.

“Although what I've learned is something any competent web security professional (malicious or ethical) can find within an hour, I do not want to enable (or give the impression of enabling) others to attack the site,” he wrote.

“This level of security is unacceptable,” Simo said at the time. “I am now of the opinion that no one should trust Healthcare.gov with any information.The externally visible lack of security is appalling and suggests incompetence on the part of those who built it.”

Simo discovered the vulnerability earlier this month, and his attempts to report the issue with the online operator at the Department of Health and Human Services were futile, he told reporters with TIME Magazine last week.

“After a half hour of delay, Simo was told his complaints would be forwarded the Federal Trade Commission, an agency that typically investigates consumer complaints, who would contact law enforcement as necessary,” TIME’s Michael Scherer reported last Thursday.

That Friday, Simo detailed the vulnerability on his blog, and that same day TIME took up the issue with both the White House and HHS Dept. The Obama administration, however, could not confirm that the issue was handled until the following Monday.

By Sunday, however, Simo had already discovered yet another issue.

“I have read some reports that we need not be overly concerned about Healthcare.gov security because the site doesn't keep much personal information,” Simo acknowledged. On the contrary, however, an audit of the code used to transfer information to third-party analytics and advertising companies nevertheless moves user names and password reset codes unencrypted to outside agencies.

“Not only does this violate Healthcare.gov's stated privacy policy, it likely also violates the privacy policies of these 3rd parties,” Simo wrote. “Even if the 3rd parties receiving the data can be trusted to not abuse the data, they may not protect it as personally identifiable information should be protected -- especially if they are not expecting to receive personal information.”

Additionally, Simo found that Healthcare.gov’s system could be storing more information on users than even Obamacare applicants assumed. Simo noted that when logging onto the site, “it returns a whole bunch of information I previously provided that is not needed for the purpose of logging into the system,” including a field for the applicant’s Social Security number, if supplied. This information is encrypted, Simo noted, but could still be compromised nonetheless. Even then, other vulnerabilities appeared to be unpatched.

Chris Soghoian, the principal technologist for the American Civil Liberties Union, chimed in over Twitter that the Federal Trade Commission punished both Facebook and Myspace in the past over similar leaks of personal information to third-party companies.

Last year, both social media companies proimised the FTC that they’d develop comprehensive privacy programs to settle allegations that it violated their own policies by leaking personal info to third-parties. In Myspace’s case, they told the FTC they’d also allow for security audits to occur regularly for another 20 years.

Also this Tuesday, the Associated Press reported that an internal government memo indicated that Healthcare.gov posted a “high” security risk because a contractor wasn’t able to test the site properly. The only testing conducted "exposed a level of uncertainty that can be deemed as a high risk," the memo said, though the site was rolled out regardless. According to the memo, an audit of the site wasn’t going to occur until two-to-three months after the October 1 launch.


Comments (6)

 

Daryl Buck 24.07.2014 23:01

...and if you don't they'll fine you.

Can this get any more ridiculous?

 

Anonymous user 01.11.2013 11:59

What does credit reports, credit cards and HIPPAA mean if they don't follow laws of HIPPAA, so anybody from any insurance co can access our personal credit checks as a article stated Equifax is involved in this, what is a credit reporting agency doing w/ our personal health informatiion. I won't sign up for this rogram, the less information I give to this government the better for everybody and I knew when they started this it would mean all of our health info would be out there for everyone. I refuse to just give my private information away.

 

Dan Johnson 31.10.2013 13:14

To see my response to this article and some of its comments so far, please Google ""On Health Exchange (HIX) Web Site Security Vulnerabilities" ;.

View all comments (6)
Add comment

Authorization required for adding comments

Register or

Name

Password

Show password

Register

or Register

Request a new password

Send

or Register

To complete a registration check
your Email:

OK

or Register

A password has been sent to your email address

Edit profile

X

Name

New password

Retype new password

Current password

Save

Cancel

Follow us

Follow us