As members of Congress grilled the secretary of the United States Health and Human Services department Wednesday morning in Washington, the agency’s Healthcare.gov site was being blamed for more issues than ever.
HHS Secretary Kathleen Sebelius had a rough morning on Wednesday answering to lawmakers during a Capitol Hill hearing, and her agency’s ongoing blunder — the Healthcare.gov site — even went offline again momentarily during the meeting.
But while serious glitches and significant downtime have dominated articles about the online marketplace for so-called Obamacare as of late, privacy problems abound as well. Security expert Ben Simo has discovered a number of problematic vulnerabilities with the website for President Barack Obama’s Affordable Care Act in recent days, and the issues could have compromised the personal information of potentially millions of Americans.
“There are so many obvious security flaws that I doubt they took security seriously,” Simo, the former president of the Association for Software Testing, wrote on his blog this Tuesday.
Last week, Simo suggested that even an unskilled attacker could access usernames, password reset codes, email addresses and security questions pertaining to the accounts of anyone who signed up for the president’s health insurance plan since the website went live on October 1. Should a hacker guess someone’s username, he said, they could then use that information to social engineer oneself into another’s account.
“Although what I’ve learned is something any competent web security professional (malicious or ethical) can find within an hour, I do not want to enable (or give the impression of enabling) others to attack the site,” he wrote.
“This level of security is unacceptable,” Simo said at the time. “I am now of the opinion that no one should trust Healthcare.gov with any information.The externally visible lack of security is appalling and suggests incompetence on the part of those who built it.”
Simo discovered the vulnerability earlier this month, and his attempts to report the issue with the online operator at the Department of Health and Human Services were futile, he told reporters with TIME Magazine last week.
“After a half hour of delay, Simo was told his complaints would be forwarded the Federal Trade Commission, an agency that typically investigates consumer complaints, who would contact law enforcement as necessary,” TIME’s Michael Scherer reported last Thursday.
That Friday, Simo detailed the vulnerability on his blog, and that same day TIME took up the issue with both the White House and HHS Dept. The Obama administration, however, could not confirm that the issue was handled until the following Monday.
By Sunday, however, Simo had already discovered yet another issue.
“I have read some reports that we need not be overly concerned about Healthcare.gov security because the site doesn’t keep much personal information,” Simo acknowledged. On the contrary, however, an audit of the code used to transfer information to third-party analytics and advertising companies nevertheless moves user names and password reset codes unencrypted to outside agencies.
“Not only does this violate Healthcare.gov’s stated privacy policy, it likely also violates the privacy policies of these 3rd parties,” Simo wrote. “Even if the 3rd parties receiving the data can be trusted to not abuse the data, they may not protect it as personally identifiable information should be protected — especially if they are not expecting to receive personal information.”
Additionally, Simo found that Healthcare.gov’s system could be storing more information on users than even Obamacare applicants assumed. Simo noted that when logging onto the site, “it returns a whole bunch of information I previously provided that is not needed for the purpose of logging into the system,” including a field for the applicant’s Social Security number, if supplied. This information is encrypted, Simo noted, but could still be compromised nonetheless. Even then, other vulnerabilities appeared to be unpatched.