GAO to report on security incidents at HealthCare.gov

Government investigators will release a report later this year about multiple cybersecurity “incidents” at HealthCare.gov, a GAO official told lawmakers Wednesday.

Gregory Wilshusen, director of Information Security Issues for the Government Accountability Office (GAO), suggested there have been several cyber events at ObamaCare’s online exchange. He did not provide further details.

ADVERTISEMENT
“We presently have work ongoing, looking at both the security and privacy of the state-based insurance marketplaces as well as looking at the incidents that have identified for HealthCare.gov by [the Centers for Medicare and Medicaid Services],” Wilshusen told members at a House Oversight Committee hearing.

The GAO “just recently received a list of the incidents” from CMS and is now studying them, he said.

The eventual GAO report is sure to stoke debate about the security of HealthCare.gov, the website where millions have purchased medical coverage since the site's rocky 2013 launch.

To apply for health insurance, users must input a variety of personal details, including Social Security numbers and addresses. Security experts predicted the site was likely to be a hacking target as a result.

It was unclear from Wilshusen’s comments whether hackers  successfully breached the website’s defenses more than once. In September, federal officials acknowledged that intruders gained access to an outer HealthCare.gov server, but said they neither viewed nor took any personal information.

The GAO has been critical of HealthCare.gov’s security in the past. A 78-page report released in September described a series of technical steps investigators said CMS did not take while constructing and repairing the sprawling website.

The agency did not require strong password controls for systems supporting the site, implement consistent security patches or properly configure the administrative network, for example, GAO said.

The Department of Health and Human Services replied at the time that it had adopted many of GAO’s recommendations, and said the hackers’ intrusion was discovered quickly by industry standards.

Wilshusen made his comments during an exchange with Del. Eleanor Holmes Norton (D-D.C.) during a hearing on third-party vendor security.