AP: Administration Was Told Healthcare.gov Had 'High' Security Risk Four Days Before Launch

Adrianne Jeffries | The Verge | October 30, 2013
The Associated Press (AP) is reporting that the agency that oversaw the launch of the online health insurance marketplace Healthcare.gov received a memo warning of security risks shortly before the site was deployed. The source of the memo, which was sent to the head of the Centers for Medicare and Medicaid Services (CMS), was not revealed.

The memo said that one of the contractors working on the project was unable to perform a complete security test of the site in time, which "exposed a level of uncertainty that can be deemed as a high risk." The memo recommended that a security team be established to "address risks, conduct daily tests, and [perform] a full security test within two to three months of going live," according to the AP.

The warning, addressed to CMS chief Marilyn Tavenner, was dated four days before Healthcare.gov went live on October 1st. Since launch, independent security researchers identified issues with the site that made it vulnerable to hackers. The worst was a problem with the password reset function that made it possible to reset someone else's password using their username and a bit of research. Further revelations show that some personal information sent through the site — which includes names, social security numbers, addresses, and dates of birth — may still be vulnerable to hackers and data leaks...