The Blog

Test Version of Healthcare.gov Site Accessible By the Public

8:04 AM, Dec 18, 2013 • By JERYL BIER
Widget tooltip
Single Page Print Larger Text Smaller Text Alerts

The Healthcare.gov website has been plagued with problems since the October 1 launch.  As web programmers often do, the designers of the federal government's flagship health care website have a test version of the site, spa.healthcare.gov, to help work out the kinks before implementation on the public site. That test site appears itself to be public.

When a user first attempts to access the "spa." site, a warning from the user's browser may be encountered. For example, the following warning appears to Chrome users:

The "security certificate" for the site is registered to Akamai Technologies, which bills itself as the "leading cloud platform for helping enterprises provide secure, high-performing user experiences on any device, anywhere."  Akamai does not list Healthcare.gov or the Department of Health and Human Services (HHS) as a client, though Akamai has been identified as handling server and web traffic duties for the site.

Some pages on the site simply mirror the main www.healthcare.gov site, such as the home page.  However, some pages on the main site (https://www.healthcare.gov/find-premium-estimates/) are met with a "Sorry, we can't find that page" message on the "spa." site (https://spa.healthcare.gov/find-premium-estimates/).  The login page on the "spa." site does not even open, but rather returns "An error occurred while processing your request" message.

It is unclear why this "spa." site would be publicly accessible.  A web designer, who requested not to be named, when asked about security concerns of the "spa." site replied:

Well it does have the https (ssl) option, however the certificate that is installed is for the wrong domain so you will get a warning/have to accept etc... It is common practice to create a "duplicate" site for testing and development. I do it all the time, however, common practice is to restrict access to the development/testing site. I always password protect etc the [non-production] site. To me it just seems like more sloppy work.

Congressional testimony given on November 19 by Internet security firm TrustedSec mentioned a security concern with the "spa." site:

It is unclear if the security concern indicated by TrustedSec still exists on the site.

There appears to be another test site for healthcare.gov, too: test.healthcare.gov/. But attempts to access this site are met with "Access Denied. You don't have permission to access 'http://test.healthcare.gov/' on this server."  However, large portions of another test version of the site, possibly set up in October after major issues surfaced, are readily accessible by the public at spa.healthcare.gov.

Recent Blog Posts