Federal officials have found "significant cybersecurity weaknesses" in the state-run health insurance websites of California, Kentucky, and Vermont, the Associated Press reports. The security flaws could have allowed hackers access to the personal information of hundreds of thousands of citizens.

The vulnerabilities were found by the Government Accountability Office, an independent agency that serves as a watchdog to Congress, which studied the states' health insurance sites from October 2013 to March 2015. The names of California, Kentucky, and Vermont were originally kept anonymous in the report, but the AP was able to reveal them through a Freedom of Information Act request. Further reporting by the AP found that while state officials have known about the GAO's report since last September, some security issues still haven't been resolved.

A spokesman for the California's state exchange told the AP there's been no evidence of hackers successfully accessing any data, but did not explain how they were attempting to fix the security concerns. In Kentucky, a spokesman for the governor's administration said that efforts to fix the problem are underway in "various stages of completion and development." However, Kentucky is planning to ditch its state-run exchange for the federal Healthcare.gov later this year. Vermont's director of health reform Lawrence Miller told the AP that it had changed vendors since the GAO review was conducted and that its security was now up to federal standards.

The GAO only studied these three states, but the agency suggested that, given the number of weaknesses they found, "other state-run health insurance exchanges could be vulnerable." That's a direct call-out to the nine other states that run their own health insurance exchanges independent of the federal government: Colorado, Connecticut, Idaho, Massachusetts, Maryland, Minnesota, New York, Rhode Island, and Washington, as well as Washington, DC.

But Healthcare.gov isn't free from security problems either. In the same time period, the GAO found 316 "security incidents" with Healthcare.gov, which could have included "unauthorized access, disclosure of data or violations of security practices." Apparently, these incidents did not result in lost or stolen data, but are still a matter of serious concern, the GAO's report said.