Security Lapse Discovered in Government Health Care Site
It turns out that long wait times and persistent glitches aren’t the worst problems HealthCare.gov has experienced. A cyber security expert discovered that for the first few weeks the site existed, it was fairly easy for someone to hijack a user’s account.
Software tester Ben Simo alerted the Department of Health and Human Services last week that its official website to help people purchase health insurance coverage under the Affordable Care Act had a security hole. Someone with bad intentions could hack into a user’s account and reset the password, thus gaining personal information about the user.
Simo said it was as easy as guessing a user name. If you had chosen a user name in the HealthCare.gov system, the website would have confirmed it exists. Then you simply had to say you had forgotten your password and the site would have reset it. You could view the unencrypted source code to find the password reset code.
Then, if you had plugged in the user name and reset code, the website would have displayed the user’s three security questions—prompts such as oldest niece's first name, name of favorite pet, date of wedding anniversary, etc.—all with answers that possibly could have been tracked down with some quick searches of public records and social networking sites.
But then, even if you answered the user’s security questions incorrectly, the website would have given you the account owner's personal email address—also unencrypted.
This can’t really even be classified as a hack, considering any malicious person with a rudimentary understanding of how to read a site’s code could have gained access. And although the security breach wouldn’t have supplied such a person with the account owner’s Social Security number, it would have yielded the user’s home address and phone number.
After Simo alerted the site’s administrators, action was taken and the security hole was fixed by October 25. Outsiders now won’t be able to see a user’s password reset code for an account. But that was three and a half weeks after the site went live, a time period security experts say is unacceptable, especially for a project of this scale.
And people are aware of the potential for more hacking opportunities. Cyber attacks on the Affordable Care Act exchange websites already have been reported. According to a recently released government memorandum, the security of the health care website was at "high risk" because of lack of testing before it even opened for enrollment.
“This seems really sloppy,” Simo, the tester who found the password reset security lapse, told CNN. “Either the developers were incompetent and did not know how to do the basic things to protect user information, or the development was so fractured that the individuals building the system didn't understand how they fit into the bigger picture.”