Federal investigators have identified significant security weaknesses in the online marketplaces of three states that could allow hackers to access sensitive personal information of customers.
Health insurance consumers in certain states may have reason to be worried.
A new federal investigation has revealed significant cybersecurity weaknesses with the health exchange websites of California, Kentucky and Vermont that – if exploited – could leave the personal information of hundreds of thousands of people vulnerable to hackers.
The Associated Press learned of the investigation by the Government Accountability Office this week. The report itself was concluded and shared with state officials last September, though some of the system’s flaws have yet to be fixed.
Officials in California and Kentucky were quick to emphasize that no evidence suggests hackers have found their way into the sites, while Vermont authorities offered no comment.
Despite this, the GAO remains worried and suggested that other state-run health insurance exchanges could also be vulnerable to hackers. The original report focused only on the three states mentioned.
Congress’s investigative arm examined the health marketplaces in the three states from October 2013 to March 2015. Researchers found that one state did not encrypt passwords, making it easier for hackers to access individual accounts. Another state did not use a filter to block hostile attempts to visit the website, while yet another did not use proper encryption on its servers.
Specific states afflicted by each problem were not specified.
What is more worrying, some evidence suggests security flaws in these sites have not been addressed.
Steve Beshear, who was Kentucky governor at the time the problems were discovered, said through a spokesperson that “because of the time required to fix the technical issues, not all those issues had been addressed” by the time current Governor Matt Bevin took office late last year.
“[But] it is important to note that there were never any security breaches of any kind, and no one’s information was ever compromised,” he added.
Kentucky’s exchange, Kynect, will be dismantled later this year, though efforts are still underway to fix the problems pointed out in the report.
Representatives with Covered California, meanwhile, have not expounded on how the problems are being addressed, but emphasized that there have been no successful attempts to hack the website.
Vermont’s Director of Health Reform Lawrence Miller said the state had changed veendros since the time of the GAO review, and “ensured the correct controls were in place” to meet a federal standard for security during the transition.
The news comes on the heels of a report that the federal exchange, Healthcare.gov, had had 316 security incidents between October 2013 and March 2015. The incidents could include unauthorized access, disclosure of data or violations of security practices, though none resulted in lost or stolen data.
Nevertheless, the GAO said technical weaknesses within the federal system “will likely continue to jeopardize the confidentiality, integrity and availability of Healthcare.gov.”
