Health insurance websites established under Obamacare in California, Kentucky, and Vermont contain substantial cyber security vulnerabilities, leaving the personal data of individuals enrolled in those states vulnerable to hackers, according to the Government Accountability Office.
The Associated Press reported Thursday:
The GAO report examined the three states' systems from October 2013 to March 2015 and released an abbreviated, public version of its findings last month without identifying the states. On Thursday, the GAO revealed the states' names in response to a Freedom of Information request from the AP … According to the GAO, one state did not encrypt passwords, potentially making it easy for hackers to gain access to individual accounts. One state did not properly use a filter to block hostile attempts to visit the website. And one state did not use the proper encryption on its servers, making it easier for hackers to get in. The report did not say which state had what problem.
Federal investigators said additional websites used in state-run exchanges may be exposed due to the number of flaws found across the sites of the three states studied, according to the Associated Press.
Authorities in California and Kentucky told the Associated Press that they did not find evidence of successful hackings. Vermont officials did not comment on whether data had been compromised but said they had switched vendors since the GAO investigation.
GAO officials reported that the federal exchange may also be vulnerable, citing 316 "security incidents" between October 2013 and March 2015 on HealthCare.gov.
The Associated Press reported that those breaches included "unauthorized access, disclosure of data, or violations of security practices." Though federal officials did not find instances of lost or stolen data, GAO investigators said the vulnerabilities "will likely continue to jeopardize the confidentiality, integrity and availability of Healthcare.gov."