The federal health insurance marketplace at Healthcare.gov still has major security issues according to some experts, including a flaw that allows user records to show up in Google results.
At least 70,000 records with personal identifying information including first and last names, addresses, and user names are accessible by using an advanced Google search and then tweaking the resulting URLs, according to David Kennedy, founder of the security firm TrustedSec. Kennedy notes that he never modified any URLs, just that he noticed that it was possible.
Kennedy first testified about the issue before a Congressional committee in November, he says, but it still hasn't been resolved. It's just one of several issues he's identified with the site, and it's actually one of the easier ones to fix: Kennedy estimates it would take just a few days to hide the records.
Deeper issues, such as a loophole that allows hackers to easily impersonate links coming from Healthcare.gov, would take longer to fix. Kennedy and other security experts believe that new features are also introducing new problems as changes are made to the site. The website is less secure than 50 percent of all the sites on the internet according to Security Headers, a website that tests basic configuration issues.
The website is less secure than 50 percent of all the sites on the internet
Unfortunately, the Centers for Medicare and Medicaid Services (CMS) the Health Department agency responsible for Healthcare.gov's development, hasn't responded to Kennedy's disclosures. CMS did not immediately respond to a request for comment.
Healthcare.gov was supposed to allow Americans to shop for health insurance the way they might shop for a book on Amazon.com. Unfortunately, a rushed timeline and convoluted management lead to a disastrous launch that undermined public confidence in the website and the underlying health care reform law.
The administration had to scramble to get the site fixed and the lead contractor has been fired. But in getting the basic issues fixed, it appears that the tech team may have let security precautions fall behind. It's easier for hackers to steal identities than ever — consider the wealth of personal information recently made available through the Target hack — and the more sources of information that can be cross-referenced, the better things are for thieves.
"Everything that we've seen from the website is a symptomatic problem of a much larger issue of how they code the website so I'd be very concerned with using it," Kennedy says.