November 25 2013
Patrice J. Lee
Last week security experts warned that the ObamaCare website is riddled with security flaws that put the personal information of Americans at risk and should be shut down. The state exchanges apparently suffer from similar faults.
On Friday, officials in Vermont confirmed that the state’s health exchange website was breached. A user gained access to another person’s application, social security number and private information. The hacker appeared to be interested in making a point: Americans should be extremely wary in using healthcare.gov and the state exchange websites until they are proven secure.
Here’s the story:
A report from state to federal officials overseeing the health insurance exchanges set up under the Affordable Care Act said a consumer reported the incident with the Vermont Health Connect website on Oct. 17.
The consumer, whom officials would not identify, reported that he received in the mail — from an unnamed sender — a copy of his own application for insurance under the state exchange.
“On the back of the envelope was hand-written ‘VERMONT HEALTH CONNECT IS NOT A SECURE WEBSITE!’ This was also (written) on the back of the last page of the printed out application,” said the incident report.
Mark Larson, commissioner of the Department of Vermont Health Access, said the incident described in the report was the only one of its kind since Vermont Health Connect launched Oct. 1. He said technical changes had been made in the way the system handles user names and passwords.
“This was one case and it was responded to appropriately,” Larson said, adding that the department’s main concern is data security and making sure the “unique circumstances” that led to the breach cannot be replicated today.
This revelation follows last week’s congressional hearing where tech experts discussed the security woes with the federal exchange website. Unlike the hearings featuring Kathleen Sebelius and the tech companies that created this blundering mess, this hearing actually produced information that we could use.
In a rapid "yes" or "no" question-and-answer session during a Republican-sponsored hearing by the House of Representatives Science, Space and Technology Committee, Republican Representative Chris Collins of New York asked four experts about the security of the site:
"Do any of you think today that the site is secure?"
The answer from the experts, which included two academics and two private sector technical researchers, was a unanimous "no."
"Would you recommend today that this site be shut down until it is?" asked Collins, whose party is opposed to Obamacare and has sought to capitalize on the failures of the website since it opened for enrollment on Oct. 1.
Three of the experts said "yes," while a fourth said he did not have enough information to make the call.
The experts said the site needed to be completely rebuilt to run more efficiently, making it easier to protect. They said HealthCare.gov runs on 500 million lines of code, or 25 times the size of Facebook, one of the world's busiest sites.
David Kennedy, head of computer security consulting firm TrustedSec LLC and a former U.S. Marine Corps cyber-intelligence analyst, gave lawmakers a 17-page report that highlights the problems with the site and warned that some of them remain live.
The site lets people know invalid user names when logging in, allowing hackers to identify user IDs, according to the report, which also warns of other security bugs.
Avi Rubin, director of the Information Security Institute at Johns Hopkins University and an expert on health and medical security, said he needed more data before calling for a shutdown of the site.
…But he would not use it because he is concerned about security bugs that have been made public, he said.
Little commentary is needed on our end other than to say that this confirms what we’ve been reporting for months. While the Administration painted fears about the federal and state exchange websites as overblown, we hear nothing from them in response to these latest revelations.
Americans should take care and think twice about the proven vulnerabilities before signing up for ObamaCare. In Vermont, an applicant received his own application back in the mail with a warning note. Other applicants may not be so lucky.