How secure is Healthcare.gov, the federal website for Obamacare, two and half years after being launched? Not secure enough. That’s the finding of a federal watchdog report.

When Healthcare.gov first launched, it crashed and burned, for months. The user experience was terrible for those who could actually log into it, and backend functionality was left unfinished or never started causing accounting headaches for all involved. We saw how good the government is at getting shoddy work done quickly and rolled out with great fanfare. President Obama had egg on his face and the embarrassing ensuing months of woes with the website underscored that government was not adept at technology, much less providing healthcare to Americans.

Fast-forward two plus years later and while the website is functioning, it still remains vulnerable to cyberattacks – as do many government websites, especially those that collect precious private information. According to the Government Accountability Office (GAO), healthcare.gov had 316 security incidents over a year. None of them led to sensitive personal information being obtained or released, but it exposes how at risk and underprepared the website is against  cyberattacks.

The data services hub is the epicenter of the attacks. It pings various agency websites such as the IRS, Social Security, and Homeland Security to verify information that consumers submit. Apparently, there are weaknesses in protecting the information in the hub, which is a treasure trove to scammers.

State-run ObamaCare websites don’t escape either. They too face significant vulnerabilities.

Fox News reports:

HealthCare.gov's data hub is one of the administration's major technology projects, and has generally been regarded as successful. Even as the consumer-facing part of the system crashed during the botched rollout of the health care law in 2013, the hub continued to operate smoothly.

However, GAO said it found shortcomings, including insufficiently tight restrictions on "administrator privileges" that allow a user broad access throughout the system, inconsistent use of security fixes, and an administrative network that was not properly secured.

Overall, 41 of the security incidents involved personal information that was either not properly secured or was exposed to someone who wasn't authorized to see it. Nearly all of those were classified as having a moderately serious impact.

In another type of incident, a list of government-employee account IDs, including passwords, was transmitted to staffers in an unencrypted email. That prompted a crash effort to create new passwords.

Health and Human Services has shrugged its shoulders at the report, claiming that the privacy and security of taxpayer data is a top priority. They’ve accepted the GAO’s recommendations to improve security, but questions remains whether and when they will implement the necessary changes to reduce the likelihood of a major data breach and identity theft.

What if hackers not only gain access to personal information from the hub, but figure out how to use this gateway to get into the databases that the Healthcare.gov feeds from such as the IRS or Social Security?

We already know that the IRS has been hacked multiple times placing millions of Americans at risk of identity theft. When will security be an Administration-wide priority–and is government equipped to handle security? Beyond that, this should continue to be a cautionary note to those seeking healthcare coverage through ObamaCare: Shop at your own risk.