The Web portal used by millions to purchase health insurance under the Affordable Care Act logged 316 cybersecurity incidents during an 18-month period, a government report revealed on Wednesday.
But the watchdog did find a number of flaws in how the Centers for Medicare and Medicaid Services (CMS) — which administers Healthcare.gov — protects a key data hub.
The data hub sends site users’s personal data to various federal agencies, including the Internal Revenue Service and Homeland Security, to verify the information.
The Government Accountability Office (GAO) dinged the agency for not consistently patching security flaws and for insufficiently restricting administrator privileges, as well as an insecure configuration of the network.
The CMS has also failed to adequately monitor security controls at state-based insurance marketplaces, according to the watchdog. In a previous report, the GAO found three states with “significant weaknesses,” including insufficient encryption and inadequately configured firewalls.
“Without well-defined oversight procedures and more frequent monitoring of security controls, CMS has less assurance that state-based marketplaces are adequately protected against risks to the sensitive data they collect, process, and maintain,” Wednesday’s report reads.
The exchange site has been under fire from regulators since its disastrous rollout in 2013.
A 2014 report from the GAO said health officials failed to implement best practices across the entire system, leaving small weaknesses that place sensitive information at risk.
A September report from the inspector general at the Department of Health and Human Services revealed that the government had stored site users's personal information on a network with basic cybersecurity flaws.
According to that report, the CMS agreed with all of the inspector general recommendations and began fixing the problems before the audit was complete.
“CMS reported that it remediated all vulnerabilities and addressed all findings we identified before we issued our final report,” the report states.
The watchdog did not provide the same assurances in Wednesday's report. It has issued a second report with more limited distribution, offering 27 recommendations to secure the data hub. It also noted that "while CMS has taken steps to oversee the security and privacy of data processed and maintained by state-based marketplaces, improvements are needed."