Obamacare Expedited Bid Process Limited Who Could Build Website
Andrew Harrer/Bloomberg via Getty Images
By Jim Finkle
and Alina Selyukh


The website at the center of President Barack Obama's health care overhaul has security flaws that put user data at "critical risk" despite recent government assurances it is safe to use, a respected security expert said Tuesday.

"There are actual, live vulnerabilities on the site now," David Kennedy, head of computer security consulting firm TrustedSec, told Reuters before testifying at a congressional hearing on the topic "Is My Data on HealthCare.gov Secure?"

Kennedy, a former U.S. Marine Corps cyber-intelligence analyst, presented a 17-page report describing the problems to the House Science, Space and Technology Committee. It doesn't go into specifics in some areas, he said, because that could provide criminals with a blueprint for launching attacks.

The website is an online exchange that allows consumers to shop for insurance plans under Obama's Affordable Care Act, which mandated that Americans have health insurance and created new marketplaces to buy and sell policies.

The site has been bedeviled by technical glitches since its launch on Oct. 1, although Obama administration officials have said they are getting on top of the problems.

"There is a lot of stuff that we are not publicly disclosing because of the criticality of the findings," Kennedy said. "We don't want to hurt people."
When asked to describe the severity of the threat that they posed to the public, he said it was a "critical risk."

The HealthCare.gov site collects data including the names, birth dates, social security numbers, email addresses and health care information about its users that criminals could use to engage in a wide variety of scams.

"The Obama administration has a responsibility to ensure that the personal and financial data collected by the government is secure," said Lamar Smith, the Texas Republican who is chairman of the House committee.

"Unfortunately, in their haste to launch the HealthCare.gov website, it appears the administration cut corners that leaves the site open to hackers and other online criminals."

The Obama administration said Tuesday the website was safe to use.

Identifying Vulnerabilities

Kennedy was one of the first security experts to identify vulnerabilities that the site poses to the security of user data, describing them on his company's blog shortly after its Oct. 1 launch.

The site lets people know invalid user names when logging in, allowing attackers to identify user IDs for the site, according to the report prepared for Tuesday's hearing. It also describes more technical bugs that could lead to attacks.

Kennedy said in making his assessment he had used tools that allowed him to remotely view the site's software, code and architecture without needing credentials to log on to its server.

In October, a Sept. 27 government memorandum surfaced in which two Department of Health and Human Services officials said the security of the site hadn't been properly tested before its launch, creating "a high risk."

HHS spokeswoman Joanne Peters said then that steps had been taken to ease security concerns since the memo was written, and that consumer data was secure.

Peters reiterated those assurances Tuesday.

"When consumers fill out their online Marketplace applications, they can trust that the information that they are providing is protected by stringent security standards," she said.

"Security testing happens on an ongoing basis using industry best practices to appropriately safeguard consumers' personal information," she said.

The Department of Homeland Security said last week that authorities were investigating more than a dozen cybersecurity incidents targeting HealthCare.gov.


Increase your money and finance knowledge from home

Intro to different retirement accounts

What does it mean to have a 401(k)? IRA?

View Course »

Timing Your Spending

How to pay less by changing when you purchase.

View Course »

Add a Comment

*0 / 3000 Character Maximum

39 Comments

Filter by:
betty_brock

Is anyone surprised? Anyone,....anyone. I didn't think so.

November 20 2013 at 10:42 PM Report abuse rate up rate down Reply
Big John

Oh my God!!!! Try and get healthcare in the US and the end of the world is coming. You will at least self destruct or maybe even something worse. Just stay without healthcare and take your chances with the medical complex and the attorneys they hire. I mean what's the worse that can happen except you go bankrupt like thousands of other people. It's a hard decision!!!

November 20 2013 at 10:18 PM Report abuse +3 rate up rate down Reply
1 reply to Big John's comment
willypfistergash

You enroll in obamacare yet johnny?

November 21 2013 at 9:18 AM Report abuse +2 rate up rate down Reply
willypfistergash

And to find out this POS website is only ~30% built?

November 20 2013 at 9:16 AM Report abuse rate up rate down Reply
dweeeb.buster

From Obamacare Success Story to Obamacare Failure Story in Just 3 Days

http://blog.heritage.org/2013/11/19/obamacare-success-story-obamacare-failure-story-just-3-days/#.UovrY0Ci2Bo.facebook

The vicious Obamacare attacks against American citizens seem to have no end.

November 20 2013 at 8:51 AM Report abuse -1 rate up rate down Reply
1 reply to dweeeb.buster's comment
willypfistergash

This guy can't get anything right.

November 20 2013 at 9:14 AM Report abuse -1 rate up rate down Reply
slim2nnun

The Crooked obama regime does'nt have to worry about going on the bug plagued site. They are above us and made sure they were exempt from the Fraudcare law !

November 19 2013 at 5:01 PM Report abuse -1 rate up rate down Reply
wynn12

Poor obama, Hes been inflicted with Pseudologia. And now we all have to deal with the consequenses. Impeach the Fraud!

November 19 2013 at 4:41 PM Report abuse -1 rate up rate down Reply
hotrimer

Watch out for the Crypto Locker Virus. The secret is, It has attached itself to The Obamafraudcare site.

November 19 2013 at 4:12 PM Report abuse -1 rate up rate down Reply
willypfistergash

As if glitches weren't bad enough...but bugs too?

November 19 2013 at 4:09 PM Report abuse rate up rate down Reply
flysalot2

Security Bugs...Boy, that just makes one want to jump onto the ACA website. If this Obamacare cr@p wasn't so tragic it would be funny.

November 19 2013 at 4:08 PM Report abuse -1 rate up rate down Reply
unitedpaintings

Obama and his Administration, screwing America for another 3 years.

November 19 2013 at 3:20 PM Report abuse rate up rate down Reply