Security researcher Ben Simo noticed that Healthcare.gov was sending his user name and password reset code to third party partners including the analytics services Pingdom, DoubleClick, and Google Analytics.
Facebook and Myspace were fined by the Federal Trade Commission (FTC) for similar infractions last year.
"We don't want and don't use this type of data."
What's more, there is no need to send user names or password reset codes to third parties. "We don't want and don't use this type of data," a representative for Google, which owns DoubleClick and Google Analytics, says in an email to The Verge. "Thanks for raising this — we're looking into it."
User names and password reset codes "are not of interest to Pingdom," Sam Nurmi, CEO of Pingdom, says in an email. The company was discarding user names and password reset codes, but rewrote its software in order to reject the information outright, he says.
"This is the sort of thing that the FTC has fined other companies over," Simo says. "The fact that they're doing this gives me more reason to be concerned about their overall approach to security. Do they really understand how to build a secure site?"
Facebook and Myspace were fined by the Federal Trade Commission for similar infractions
Department of Health and Human Services (HHS) chief Kathleen Sebelius addressed security concerns in her testimony during a Congressional oversight hearing yesterday. "The highest security standards are in place and people have every right to expect privacy," she says. "I do absolutely commit to protecting the privacy of the American public. We should be held accountable for protecting privacy."
The website has had problems with basic functionality, which the administration promises to have fixed by the end of November. It's now looking like security and privacy were overlooked in the rush to open the marketplace by October 1st, the deadline mandated by the Affordable Care Act which requires all Americans to have health insurance. An internal administration memo leaked yesterday warned of "high" risks due to the lack of time to do a security audit.