October 30, 2013 - According to a report from the Associated Press, an internal government memo to Medicare chief Marylin Tavenner states that contractors for the Department of Health and Human Services (HHS) never conducted an end-to-end data security test of the Healthcare.gov website. The memo, which was dated just three days before the public debut of the site, says that the lack of testing "exposed a level of uncertainty that can be deemed as a high risk." The memo, in combination with congressional testimony this morning, paint a picture of a website that is likely to be prime hunting ground for ID thieves and hackers looking for consumer information which can then be used or sold in black market transactions.
|
|
|
|
|
|
If the federal government knows how many Americans have provided their personally identifiable information via Healthcare.gov, they aren't saying. While we know from public statements that the site was visited by millions of Americans within the first 24 hours that it was open, it crashed almost immediately. Since the beginning of this month, there have been numerous reports from insurance companies, state governments and from consumers themselves that the site is slow and makes it nearly impossible to actually sign-up for insurance.
In the past few days of congressional testimony, HHS officials have refused to say how many people have actually completed the insurance sign-up process. Given the problems with the site and its software… the government has stated that it has more than 5 million lines of bad computer code that needs to be rewritten… it could very well be that the nobody actually knows how many consumers have been able to purchase insurance.
But there is doubtlessly a much larger group of consumers who have exposed their information to a data breach than have actually been able to sign-up for an insurance policy. That's because the site requires consumers to provide their information prior to allowing them to do anything more than a rudimentary investigation of insurance plans. Want to find a new doctor? You have to provide your info. Want to see if your doctor is participating in the exchange? You need to provide your information first.
Somewhere on that website, there is a file with all of this consumer information contained in it. And somebody inside the government knows how many records are in that file. Every one of them is a potential victim.
According to the HHS memo, it could take as much as three months of end to end testing by contractors to insure that the site is secure. Yet that testing hasn't even begun yet. In fact, HHS probably can't do any testing at this point because they are trying to update the software powering the site. Every update they make to the site's code would require new security testing across the entire site. Bottom line is that it probably doesn't make any sense at all to conduct security tests until the site is functioning as intended and running stably. In the meantime, anyone who uses it is putting themselves at risk.
Site security was a key line of questioning for HHS Secretary Kathleen Sebelius by Rep. Mike Rogers (R-MI). Roger's used the same internal memo mentioned above in his questioning and, at one point said, "You have exposed millions of Americans because you all, according to your memo, believed it was an acceptable risk. Don’t you think you had the obligation to tell the American people that we’re going to put you in this system, but beware, your information is likely to be vulnerable?” Sebelius never directly responded to the question.
For the record, ACCESS has been saying for three years now that we believe the law creates new large databases of consumer information that will act like a magnet for crooks and identity thieves. We've also pointed out that the federal government's record for data security is abysmal. Some of the largest data breaches in history have occurred due to US Government data security lapses.
byJim Malmberg
Note: When posting a comment, please sign-in first if you want a response. If you are not registered, click here. Registration is easy and free.
Follow me on Twitter:
|