Healthcare.gov Exposed Confidential Information
- By Ginger Hill
- Oct 30, 2013
The security glitch in the original design of healthcare.gov has been fixed. At least that’s what a spokesman from Medicare and Medicaid said; however, after “eliminating this theoretical vulnerability,” crucial user information was exposed to anyone with basic web skills.
The site’s function that allows users to reset their password could be manipulated, allowing hackers to figure out if certain usernames were in use and what email address was associated with specific user names. This is extremely helpful for healthcare fraudsters to target unknowing people to gain fraudulent benefits.
According to an internal memo from the U.S. Center for Medicare and Medicaid Services, the security control assessment was only partly completed but assured that a “dedicated security team” would be assigned to monitor risks, conduct weekly scans and within 60 to 90 days after going live, “conduct a full-scale SCA test.” Thus, the memo did not detail any security concerns, and Marilyn Tavenner, director of the agency, thought the site was ready to go for its October 1st rollout date. In fact, healthcare.gov was tested with the results giving comfort in its performance.
Hackers have used password resets for some time now to gain access to confidential information…private information that purchasers of health insurance must provide…so this incident makes me wonder why the government wasn’t more careful when establishing this function on heathcare.gov.
Other security concerns have also been found on the site, including transmitting account information without encryption.
Sources:
http://www.theverge.com/2013/10/30/5046482/security-hole-in-healthcare-gov-exposed-user-email-addresses
http://www.cnn.com/2013/10/30/politics/obamacare-website-warning-memo/index.html?hpt=hp_t1
http://swampland.time.com/2013/10/28/exclusive-password-reset-security-glitch-fixed-on-healthcare-gov/
About the Author
Ginger Hill is Group Social Media Manager.