‘Numerous Weaknesses,’ ‘Inadequate Security Settings’ Found in Colorado Obamacare Exchange

Personal information at risk for more than a year

Colorado HealthOP promotional campaign
Colorado HealthOP promotional campaign / AP
February 17, 2016

The Obamacare health exchange in Colorado faced "numerous weaknesses" and had "inadequate security settings," leaving the personal information of enrollees vulnerable, according to a new audit.

The inspector general for the Department of Health and Human Services publicly released its review of Connect for Health Colorado on Wednesday, revealing the exchange had inadequate security measures in place for more than a year.

The report, which reviewed information security controls as of November 2014, did not go into specifics of Connect for Health Colorado’s vulnerabilities because of the "sensitive nature of the information."

However, the report is able to reveal that the exchange’s security deficiencies were significant and could have compromised the personal information of Coloradans.

"[Connect for Health Colorado] C4HCO had implemented many security controls on its [Colorado Health Benefit Exchange] COHBE Web sites and databases with the intent to protect [personally identifiable information] PII; however, it did not fully comply with federal requirements, which increased C4HCO’s risk that PII could have been exposed," the inspector general said. "Specifically, C4HCO had not updated the system security plan’s supporting policies or ensured that vulnerabilities identified during prior scans were mitigated in a timely manner."

"Additionally, our database security scans identified numerous weaknesses regarding user access administration and inadequate security settings," the inspector general said. "Moreover, C4HCO had not performed incident response testing."

The inspector general did not find evidence that these weaknesses were exploited, despite the exchange operating for more than a year. Connect for Health Colorado opened in October 2013. The state did not begin to address the exchange’s security weaknesses until November 2014.

If personal information had been compromised, the consequences would have been severe, the inspector general said.

"Although we did not find evidence that the weaknesses had been exploited, exploitation could have resulted in unauthorized access to and disclosure of PII, as well as disruption of critical marketplace operations," the inspector general said. "As a result, the weaknesses were collectively and, in some cases, individually significant and could have compromised the integrity of Colorado’s marketplace, thus increasing the risk that PII could have been exposed."

"In addition, without proper safeguards, systems are not protected from individuals and groups that obtain access to commit fraud, waste, or abuse or launch attacks against other computer systems and networks," the inspector said.

The Colorado health exchange cost taxpayers more than $184 million to create, the audit said.

The audit marks the latest bad news for Obamacare in Colorado, after the state’s biggest co-op announced it was folding last year. Colorado HealthOP collapsed in October, leaving 83,000 Coloradans without health insurance.

The inspector general shared its security findings with Connect for Health Colorado before publicly releasing the report, and said the exchange began addressing its security deficiencies. The exchange has fixed some of the problems, but only "partially remediated" others.

"Based on the evidence provided, C4HCO has successfully remediated the issues we found related to the system security plan and incident response testing and has partially remediated the issues we found related to the application production databases and vulnerability mitigation," the inspector general said.

Connect for Health Colorado did not immediately respond to request for comment.