HealthCare.gov debuted Oct. 1 and, overnight, became the new poster child for government ineptitude. From its propensity to crash to its multitude of security problems and bureaucratic inefficiencies, it provided a seemingly inexhaustible supply of material for late-night comedians.
But the site is no laughing matter. It is a security nightmare, one that leaves users’ personal information vulnerable to hackers and others. And that vulnerability appears to be open-ended.
In late October, a North Carolina man accidentally discovered a security breach on the site: It allowed him to access a stranger’s private enrollment and subsidy information. The user immediately contacted the Department of Health and Human Services and asked it to remove his own account .
After weeks of waiting, his information account was finally deleted in mid-November.
Officials at CoverOregon, Oregon’s health exchange, are reviewing their privacy protections after workers committed three personal data breaches in three days. Vermont officials overseeing the state’s website confirmed a security breach that gave one user improper access to another’s Social Security number .
Two months after HealthCare.gov’s disastrous debut, the administration claimed the site was, essentially, fixed. But those assurances addressed only the site’s ability to handle more traffic without going into cardiac arrest.
While the metrics the government used to declare HealthCare.gov “fixed” are fine as far as they go, they are woefully incomplete. Notably missing is any metric addressing security.
On Nov. 19, four IT experts testified before a House committee . All agreed that HealthCare.gov was a security nightmare that presented unacceptable risks to users. One went so far as to dub the website “IdentityTheft.gov.”
Since then, the administration once again has pronounced the website “fixed.” Unfortunately, it “doesn’t appear that any security fixes were done at all,” says David Kennedy, CEO of the online security firm TrustedSec.
Kennedy told The Washington Free Beacon, the “fixes” made to increase the site’s capacity may have left the site even less secure. His professional advice? “I would still definitely advise individuals to not use the website.”
And the website isn’t the only source of security concerns over the enrollment process. Obamacare navigators — nearly 50,000 people contracted by the government to help consumers wade through the insurance process and select a plan — never had to undergo background checks.
Folks who disclose financial and medical information to navigators during the sign-up process may leave themselves wide open to fraud and identity theft.
The security risks of signing up for Obamacare remain sky high. All Americans — and especially the young — might want to hold off for a while until they get an official “all clear.”