The other problem with HealthCare.gov.
Nov 18, 2013, Vol. 19, No. 10 • By JONATHAN V. LAST
Those are just the problems concerned with how HealthCare.gov handles your account and whatever information is contained therein. And however worrisome these failures are, presumably they can be fixed. (Some already have been.) The rest of the iceberg is much scarier.
For instance, like many websites, HealthCare.gov doesn’t just push information back and forth between itself and individual users. In certain circumstances, it allows third parties to participate, too. For example, HealthCare.gov uses third-party clients to keep analytics on usage of the site. HealthCare.gov’s privacy statement explicitly says that “no personally identifiable information” will be shared with these third-party vendors. But Simo found that when you activate an account or reset your password, your information is sent to the third parties, too.
Simo acted as a true white hat in all of this: Every time he uncovered a breach, he alerted HealthCare.gov’s customer service. He even went to the trouble of finding a back channel to the HHS web team so that he could get information directly to them. And as a public service, he posted extensive accounts of all the problems he found. It was the kind of beta testing HealthCare.gov should have undergone last year. For his trouble, during her congressional testimony, when Sebelius was asked about the problems Simo had uncovered, she dismissed him as a “skilled hacker” who had tried to attack the site.
The reason Simo was so persistent is that if a malicious hacker had gained access to a HealthCare.gov account, he would gain access to an enormous amount of personal information: your name, address, email, phone number, birth date, income, marital status, and much, much more.
All of these privacy problems are technical in nature, the result of both poor design and poor execution. Yet the biggest privacy concern is systemic: By sending your information hither, thither, and yon—from HealthCare.gov to the state exchanges to individual plans, each of which will use third-party applications—users have geometrically increased the exposure of their information. And not just to hackers. As Michael Astrue put it in The Weekly Standard when he first sounded the alarm:
There is a saying in the programming world: With 10,000 eyes, all bugs are shallow. This little Zen koan gets at one of the immutable rules of writing code: If you have enough testers and programmers, you can untangle any mistake. HealthCare.gov may be the exception that proves the rule.
Jonathan V. Last is a senior writer at The Weekly Standard.
Recent Blog Posts