A federal watchdog has found security flaws in state-run ObamaCare exchanges in California, Kentucky and Vermont, potentially putting millions of customers’ data at risk.
The three states were found to have cybersecurity weaknesses such as insufficient encryption and inadequate firewalls, according to a months-long study by the Government Accountability Office.
California’s system, known as Covered California, is the nation’s largest state-run exchange. Both California and Kentucky have been touted as a national model, though Vermont has had a documented history of issues with its exchange.
The GAO’s investigation was released in March, but it did not name the states. That information was reported Thursday by The Associated Press, which obtained it through a Freedom of Information Act request.
Federal officials said their findings in the investigation, which was initially limited to those three states, likely means that other states’ websites have faced similar issues.
State officials in California and Kentucky told the AP that no breaches had been reported, while officials in Vermont declined to discuss the findings.
Only about a dozen states have opted to run their own healthcare exchanges under ObamaCare, with most choosing to use the federal version, HealthCare.gov.
Both the state and federal versions of the healthcare website have ran into unexpected technological problems. The federal HealthCare.gov website took weeks to become fully functioning after crashing during its initial launch in 2013.
Many states have since struggled with maintaining their marketplace’s online infrastructure, with dwindling budgets each year.