Obamacare health insurance websites in California, Kentucky and Vermont have serious cybersecurity flaws that could result in hackers obtaining personal data from hundreds of thousands of people, according to the Government Accountability Office.
GAO recommended the government provide continuous cybersecurity monitoring of the sites to combat these cybersecurity issues. With the number of weaknesses found in these three state studies, GAO officials said other state-run health insurance exchanges may also have similar security vulnerabilities. And some of these flaws haven't been fixed.
One state didn't encrypt passwords, GAO officials said. Another state didn't properly use a filter to block hostile attempts to the site. And the other state didn't use proper encryption - leaving a door for hackers to gain entry. The report didn’t specify which states had the specific issues.
GAO examined the systems of the three states from October 2013 to March 2015 and released the public version of the findings last month - without naming the states.
The information was shared with state officials last September. GAO released the state names on Thursday due to a Freedom of Information Act request filed by the Associated Press.
Officials from both California and Kentucky told the AP there was no evidence hackers had stolen anything, while Vermont officials declined to comment on the findings.
"Because of the time required to fix the technical issues, not all those issues had been addressed (by the time Gov. Matt Bevin took office in early December)," Steve Beshear, who was Kentucky's governor when the security flaws were discovered, said through a spokeswoman to AP.
"It’s important to note there were never any security breaches of any kind, and no one's information was ever compromised," he added.
Efforts to fix the problems "are in various stages of completion and implementation," Doug Hogan, a spokesman for the Bevin administration's Cabinet for Health and Family Services told AP.
A spokesperson for the exchange of California didn't say how the problems were being addressed. Vermont officials said the state changed vendors since the time GAO did its report.
Health insurance exchanges were set up under President Obama's healthcare initiative and are designed as online marketplaces for those without insurance. Some sites were run by the state, while others we jointly or completely run with the federal site.
Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com
