Americans are methodically dealing with the Kübler-Ross stages of Obama-care grief, with our national healing process moving briskly through roughly one stage per week: (1) denial upon realizing that the website HealthCare.gov didn’t work; (2) anger at the realization that the technical back-end of the exchanges is as dysfunctional as the front-end of the site; (3) shock at the cancellation of plans and increase of premiums; and (4) depression at the prospect of losing access to doctors, too. We’re ready to move on to the fifth stage: acceptance that privacy will also be a casualty of HealthCare.gov.
Justin Hadley was perhaps the first consumer to witness this breach. As was reported by the Heritage Foundation, Hadley is a North Carolina resident who used to buy his insurance from Blue Cross Blue Shield on the individual market. In September, Blue Cross Blue Shield informed him that, thanks to Obamacare, they were canceling his policy. Hadley went to HealthCare.gov and was one of the lucky few able to register with the system. He was rewarded when a letter popped up onscreen. The letter was made out to someone else—one Thomas Dougall, of Elgin, South Carolina—and it contained Dougall’s contact information and notes on his and his family’s eligibility to buy insurance on the exchanges. When Hadley reached out to Dougall to inform him of the mistake, Dougall was shocked.
He shouldn’t have been. When members of Congress questioned Kathleen Sebelius about privacy concerns last month, the secretary of health and human services protested, “I would tell you we are storing the minimum amount of data, because we think that’s very important. The hub is not a data collector.”
It’s difficult to imagine what Sebelius was thinking. “The hub”—meaning the web portal that is HealthCare.gov—does not collect medical records to store away on government servers. But it does collect all sorts of data about you, which it keeps attached to your account.
Yet what worries people about the site isn’t that HealthCare.gov is a “data collector”; the concern is that it’s a data sieve.
The people who created the site seemed to understand this trepidation. In mid-October Jeryl Bier reported on this magazine’s website that by examining the source code of the “Terms & Conditions” page, the following statement—which was not displayed on the page itself—became visible: “You have no reasonable expectation of privacy regarding any communication or data transiting or stored on this information system.” (HHS later removed this language.)
On his blog, professional software tester Ben Simo began tinkering with HealthCare.gov shortly after it launched and uncovered security holes almost immediately. At first, the site processed an application that he had begun filling out but did not submit—meaning the site took the personal information he had entered and forwarded it to a state agency without his authorization. Next, he tried changing the email address associated with his HealthCare.gov account. With most websites, when you change your email, they send a notice of the change to your old address, so that if your account has been compromised by a hacker who changes the email, you’ll be alerted. Instead, HealthCare.gov sent an email to Simo’s new address about the change—a redundant step that provides no security for users. When doing another bit of routine maintenance on his HealthCare.gov account, Simo found that the site was sending information about his username via unsecure HTTP protocols, rather than the encrypted HTTPS. As anyone even passingly acquainted with shopping on the Internet would realize, this is, as Simo put it, “a huge security flaw” because HTTP information can be intercepted by anyone who cares to look for it.
Why would it matter if someone intercepted your username? Because if someone sniffs out a username sent over HTTP, then they can use HealthCare.gov to confirm the existence of the username, reveal the email address associated with it, reveal the password reset code, and show the security questions associated with the account. Which is pretty much everything a malicious party would need to take over your account.
There’s more: On most websites, when you create an account, the site sends an email to the address associated with the account and requires you to click on a link to activate it. This process validates the email address being used and makes sure that you’re not creating an account with someone else’s email. Simo discovered that on HealthCare.gov, when you create an account, you verify the email associated with it by clicking on a link displayed in your browser. Which means that anyone could make an account using anyone else’s email.