Healthcare.gov was never penetrated by hackers or leaked any personally identifiable information despite 316 different information-security-related incidents since its notoriously botched launch, government auditors said.
However, weaknesses in security procedures for the site’s online data exchange portal, which links it to the state-level insurance marketplaces, continue to create security risks, according to a Government Accountability Office report released Wednesday.
Of the 316 incidents reported by the Centers for Medicare and Medicaid Services between October 2013 and March last year, the majority, 191, were scans or probes of the website. Only one involved an actual hacker intrusion — the widely publicized incident disclosed last year when a test server was left exposed and had malware installed on it, but no PII was put at risk in that case, the report stated.
Fifty-five of the incidents involved the exposure of PII, mostly “because of physical mail being sent to an incorrect recipient or unencrypted PII being transmitted via e-mail to a limited number of individuals,” report said. Another 52 were under investigation at the time of the report.
The vast majority of the incidents, 311, were of only “Moderate/Limited” impact. Four had less impact than that. Only one, when a large number of computer logins and phone numbers was sent to staff in an unencrypted e-mail message, qualified as a “Significant/Large” incident.
CMS has created new procedures and steps to improve security, but they still have many problems with their online data exchange portal, the Federal Data Services Hub, auditors wrote. GAO found their data hub lacking administrative network configuration, their security patches inconsistent, and their administrative network insufficient.
“Although CMS continues to make progress in correcting or mitigating previously reported weaknesses within Healthcare.gov and its key supporting systems, the information security weaknesses found in the data hub will likely continue to jeopardize the confidentiality, integrity, and availability of Healthcare.gov,” the report concluded.
Contact the reporter on this story via email: Jeremy.Snow@FedScoop.com. Follow him on Twitter @JeremyM_Snow. Sign up for the Daily Scoop — all the federal IT news you need in your inbox every morning — here: fdscp.com/sign-me-on.