|
November 25, 2013 - The security hits keep on coming for both Heathcare.gov (the federal healthcare exchange) and the various state insurance exchanges that serve about 1/3 of the country. Within the past two weeks, there have been two reports of people logging onto the exchanges only to be given access to the personal information of someone else. And in congressional testimony last week, four data security experts told congress that the public shouldn't be using the federal exchange due to lax data security.
Yesterday, the Vermont Health Connect website (which is the healthcare exchange run by the State of Vermont) confirmed a data breach which may have been self-inflicted. The breach occurred when one consumer who registered on the sight received a copy of someone else's insurance application via email. The consumer that received the email was apparently upset about it and notified the original insurance applicant. That applicant then notified the state exchange.
In an eerily similar incident on the federal exchange, a South Carolina resident by the name of Thomas Dougall who registered on the exchange simply shop prices received notification from a consumer in North Carolina that his information had been breached. Apparently Dougall's information had been supplied to the man in North Carolina when he logged onto the federal exchange.
These are not the first data breaches to occur on the healthcare exchanges. As we have previously reported, the Minnesota healthcare exchange suffered a breach on its first full day of operation.
More importantly, the data breaches mentioned here may not be the most significant that have occurred already. Last week in congressional testimony, the department of Health and Human Services (HHS) revealed that the federal exchange had been targeted by hackers 16 times already. None of those attempts had been successful according to HHS.
But based on follow-up testimony from a group of computer experts, the HHS statement may have grossly understated the actual number of hacking attempts against the site. Moreover, one of the people testifying stated specifically that the site may have already been compromised.
David Kennedy, CEO of data security firm TrustedSEC, told members of congress that "… if I had to guess, based on what I can see … I would say the website is either hacked already or will be soon.” Kennedy was later interviewed by Fox News and said that based on his analysis of the site, there had already been "a large number of SQL injection attacks against the healthcare.gov website, which are indicative of 'a large amount' of hacking attempts."
Kennedy went on to say, "Based on the exposures that I identified, and many that I haven’t published due to the criticality of exposures – if a hacker wanted access to the site or sensitive information – they could get it." In describing the threat for fraud and ID theft, Kennedy stated that the site was one of the largest repositories of consumer data that his company had ever seen.
Kennedy was not alone in his assessment. He was joined in his testimony by four other security experts and none of them had anything positive to say about Healthcare.gov's data security. Three of the four called for the site to be taken off-line until the security issues are fixed. And all four of them stated that no Americans should be using the site at present.
Any consumer who registers on the healthcare exchange needs to be aware of the risk for fraud and identity theft. The risk is there for both the federal and the state exchanges. At the time the federal exchange was launched, the government had done almost no security testing on it. To date, they have still not run an end to end security test.
byJim Malmberg
Note: When posting a comment, please sign-in first if you want a response. If you are not registered, click here. Registration is easy and free.
Follow me on Twitter:
|
Politics & Politicians 
