Security flaws found in insurance websites


April 8, 2016 at 12:00a.m.

Associated Press

FRANKFORT, Ky.

Federal investigators found significant cybersecurity weaknesses in the health-insurance websites of California, Kentucky and Vermont that could enable hackers to get their hands on sensitive personal information about hundreds of thousands of people, The Associated Press has learned. And some of those flaws have yet to be fixed.

The vulnerabilities were discovered by the Government Accountability Office, the investigative arm of Congress, and shared with state officials last September. Vermont authorities would not discuss the findings, but officials in California and Kentucky said this week that there was no evidence hackers succeeded in stealing anything.

Regulators said that given the number of weaknesses they discovered in just the three states studied, other state-run health-insurance exchanges could be vulnerable, too. The GAO recommended the federal government continually monitor cybersecurity at such sites.

Created under President Barack Obama’s health care overhaul, the exchanges are online marketplaces where people who have no health insurance through their jobs can buy government-subsidized private coverage. Only a dozen states ran their own websites this year; the rest either switched to the federal one or jointly operate their exchanges with Washington.

Computer security flaws are just the latest headache for the state exchanges. Some, such as Oregon’s, suffered crippling technical problems when they were launched in 2013. Some states, such as Hawaii, turned operations back to the federal government because of cost concerns.

The GAO report examined the three states’ systems from October 2013 to March 2015 and released an abbreviated, public version of its findings last month without identifying the states. On Thursday, the GAO revealed the states’ names in response to a Freedom of Information request from the AP.

According to the GAO, one state did not encrypt passwords, potentially making it easy for hackers to gain access to individual accounts. One state did not properly use a filter to block hostile attempts to visit the website. And one state did not use the proper encryption on its servers, making it easier for hackers to get in.

By using this site, you agree to our privacy policy and terms of use.

» Accept
» Learn More