HealthCare.gov has logged 316 cybersecurity incidents since its inception and the website remains vulnerable to further cyber-attacks, according to a report from the nonpartisan Government Accountability Office.
The cybersecurity incidents detected by the investigators took place between October 2013 and March 2015.
The agency noted that none of the over 300 cybersecurity incidents led to the exposure of sensitive data such as names, birth dates, addresses, Social Security numbers, financial information, and other personal information.
Forty-one of the security incidents involved personal information that was not secured properly or was exposed to unauthorized personnel—almost all of these cases were classified as having a “moderately serious impact.”
Many of the incidents that occurred over 18 months seemingly involved electronic probing by hackers, investigators pointed out. The investigators concluded that while the administration is making progress with its subsidized private health insurance program, any possible security flaws "will likely continue to jeopardize the confidentiality, integrity and availability of HealthCare.gov."
The GAO found that a critical component of the system that protects users’ sensitive information, known as the data services hub, had weaknesses. The data hub functions as a notification system that informs federal agencies such as Social Security, IRS and Homeland Security regarding the personal details of consumers.
Investigators also discovered weaknesses in some health insurance sites operated by their respective states, which connect to the data hub. At present, 12 states and the District of Columbia operate their own health exchange websites.
Other faults the investigators found in the system include inadequate restrictions on "administrator privileges" that allow a user broad access throughout the system, inconsistent security fixes, and an unsecure administrative network.
The Health and Human Services department issued a formal response to the GAO’s report, asserting that the security and privacy of its consumers’ data is a “top priority.” The department also accepted THE GAO’s recommendations for further improvement of the system.
