Americans are methodically dealing with the Kübler-Ross stages of Obama-care grief, with our national healing process moving briskly through roughly one stage per week: (1) denial upon realizing that the website HealthCare.gov didn’t work; (2) anger at the realization that the technical back-end of the exchanges is as dysfunctional as the front-end of the site; (3) shock at the cancellation of plans and increase of premiums; and (4) depression at the prospect of losing access to doctors, too. We’re ready to move on to the fifth stage: acceptance that privacy will also be a casualty of HealthCare.gov.
Justin Hadley was perhaps the first consumer to witness this breach. As was reported by the Heritage Foundation, Hadley is a North Carolina resident who used to buy his insurance from Blue Cross Blue Shield on the individual market. In September, Blue Cross Blue Shield informed him that, thanks to Obamacare, they were canceling his policy. Hadley went to HealthCare.gov and was one of the lucky few able to register with the system. He was rewarded when a letter popped up onscreen. The letter was made out to someone else—one Thomas Dougall, of Elgin, South Carolina—and it contained Dougall’s contact information and notes on his and his family’s eligibility to buy insurance on the exchanges. When Hadley reached out to Dougall to inform him of the mistake, Dougall was shocked.
He shouldn’t have been. When members of Congress questioned Kathleen Sebelius about privacy concerns last month, the secretary of health and human services protested, “I would tell you we are storing the minimum amount of data, because we think that’s very important. The hub is not a data collector.”
It’s difficult to imagine what Sebelius was thinking. “The hub”—meaning the web portal that is HealthCare.gov—does not collect medical records to store away on government servers. But it does collect all sorts of data about you, which it keeps attached to your account.
Yet what worries people about the site isn’t that HealthCare.gov is a “data collector”; the concern is that it’s a data sieve.
The people who created the site seemed to understand this trepidation. In mid-October Jeryl Bier reported on this magazine’s website that by examining the source code of the “Terms & Conditions” page, the following statement—which was not displayed on the page itself—became visible: “You have no reasonable expectation of privacy regarding any communication or data transiting or stored on this information system.” (HHS later removed this language.)
On his blog, professional software tester Ben Simo began tinkering with HealthCare.gov shortly after it launched and uncovered security holes almost immediately. At first, the site processed an application that he had begun filling out but did not submit—meaning the site took the personal information he had entered and forwarded it to a state agency without his authorization. Next, he tried changing the email address associated with his HealthCare.gov account. With most websites, when you change your email, they send a notice of the change to your old address, so that if your account has been compromised by a hacker who changes the email, you’ll be alerted. Instead, HealthCare.gov sent an email to Simo’s new address about the change—a redundant step that provides no security for users. When doing another bit of routine maintenance on his HealthCare.gov account, Simo found that the site was sending information about his username via unsecure HTTP protocols, rather than the encrypted HTTPS. As anyone even passingly acquainted with shopping on the Internet would realize, this is, as Simo put it, “a huge security flaw” because HTTP information can be intercepted by anyone who cares to look for it.
Why would it matter if someone intercepted your username? Because if someone sniffs out a username sent over HTTP, then they can use HealthCare.gov to confirm the existence of the username, reveal the email address associated with it, reveal the password reset code, and show the security questions associated with the account. Which is pretty much everything a malicious party would need to take over your account.
There’s more: On most websites, when you create an account, the site sends an email to the address associated with the account and requires you to click on a link to activate it. This process validates the email address being used and makes sure that you’re not creating an account with someone else’s email. Simo discovered that on HealthCare.gov, when you create an account, you verify the email associated with it by clicking on a link displayed in your browser. Which means that anyone could make an account using anyone else’s email.
Those are just the problems concerned with how HealthCare.gov handles your account and whatever information is contained therein. And however worrisome these failures are, presumably they can be fixed. (Some already have been.) The rest of the iceberg is much scarier.
For instance, like many websites, HealthCare.gov doesn’t just push information back and forth between itself and individual users. In certain circumstances, it allows third parties to participate, too. For example, HealthCare.gov uses third-party clients to keep analytics on usage of the site. HealthCare.gov’s privacy statement explicitly says that “no personally identifiable information” will be shared with these third-party vendors. But Simo found that when you activate an account or reset your password, your information is sent to the third parties, too.
Simo acted as a true white hat in all of this: Every time he uncovered a breach, he alerted HealthCare.gov’s customer service. He even went to the trouble of finding a back channel to the HHS web team so that he could get information directly to them. And as a public service, he posted extensive accounts of all the problems he found. It was the kind of beta testing HealthCare.gov should have undergone last year. For his trouble, during her congressional testimony, when Sebelius was asked about the problems Simo had uncovered, she dismissed him as a “skilled hacker” who had tried to attack the site.
The reason Simo was so persistent is that if a malicious hacker had gained access to a HealthCare.gov account, he would gain access to an enormous amount of personal information: your name, address, email, phone number, birth date, income, marital status, and much, much more.
All of these privacy problems are technical in nature, the result of both poor design and poor execution. Yet the biggest privacy concern is systemic: By sending your information hither, thither, and yon—from HealthCare.gov to the state exchanges to individual plans, each of which will use third-party applications—users have geometrically increased the exposure of their information. And not just to hackers. As Michael Astrue put it in The Weekly Standard when he first sounded the alarm:
With HHS’s convoluted patchwork of contractors, including the data centers of “the cloud,” tens of thousands of people have now gained access to our personal data. The churning of marginal employees through the lowest bidders of “the cloud” particularly increases the risk of massive disclosures like those that Edward Snowden recently inflicted on the intelligence community and Bradley Manning inflicted on the military. Our greatest vulnerability may not be the hardware or the software, but the integrity of the contractors who use these tools.
There is a saying in the programming world: With 10,000 eyes, all bugs are shallow. This little Zen koan gets at one of the immutable rules of writing code: If you have enough testers and programmers, you can untangle any mistake. HealthCare.gov may be the exception that proves the rule.
Jonathan V. Last is a senior writer at The Weekly Standard.