The federal government stored the sensitive personal data of millions of people who purchased insurance through ObamaCare on a network with basic cybersecurity flaws, a federal audit revealed Thursday.
HealthCare.gov, the much-maligned federal exchange for healthcare coverage, suffered from a number of security issues, according to the inspector general at the Department of Health and Human Services (HHS).
While MIDAS doesn’t handle medical records, it does store names, Social Security numbers, addresses, passport numbers, and financial and employment information for exchange customers.
According to the report, MIDAS did not encrypt user sessions, which is common practice for most online financial transactions.
The Centers for Medicare and Medicaid Services (CMS), which oversees the site, also apparently failed to perform basic vulnerability scans that might have uncovered weaknesses in the website's servers.
In addition to poor security policies, the HHS audit found 135 database vulnerabilities — such as software bugs — 22 of which were classified as “high risk.” Sixty-two of the flaws were classified as medium risk.
According to the report, the CMS agreed with all of the IG recommendations and began fixing the problems before the audit was complete.
“CMS reported that it remediated all vulnerabilities and addressed all findings we identified before we issued our final report,” the report states. “We have since reviewed the supporting documentation and verified CMS’s remediation.”
The exchange site has been under fire from regulators since its disastrous rollout in 2013.
A 2014 report from the Government Accountability Office (GAO) said that health officials failed to implement best practices across the entire system, leaving small weaknesses that place sensitive information at risk.
The GAO is expected to release another report at some stage this year about what it described as multiple cybersecurity “incidents” for HealthCare.gov. The system was apparently breached by hackers last summer, though according to reports, no consumer information was viewed or taken.
“We presently have work ongoing, looking at both the security and privacy of the state-based insurance marketplaces as well as looking at the incidents that have identified for HealthCare.gov by [the Centers for Medicare and Medicaid Services],” Gregory Wilshusen, director of information security issues, told members at a House Oversight Committee hearing in April.
Approximately 10 million consumers currently rely on HealthCare.gov to buy health insurance coverage.