GAO Report Warns of ACA Website Security Risks

September 18, 2014

HealthCare.gov, President Barack Obama’s health insurance exchange, has security and privacy protection vulnerabilities, a U.S. government watchdog reported on Tuesday, nearly a year after the website’s troubled rollout.

The General Accounting Office (GAO) said that despite steps taken by the Centers for Medicare & Medicaid Services (CMS) for security and privacy protection, weaknesses remain in the processes used for managing information security and privacy.

The GAO also identified issues regarding the technical implementation of IT security controls.

“Until these weaknesses are addressed, increased and unnecessary risks remain of unauthorized access, disclosure, or modification of the information collected and maintained by Healthcare.gov…”, the GAO said.

The report follows a security breach on the website in August. An unknown computer hacker infiltrated the HealthCare.gov website, apparently uploading malicious files.

“The president and his administration launched HealthCare.gov knowing that the personal information of Americans who bought insurance through the website was not safe. Their personal information was not safe then, and it is not safe now,” Senator Lamar Alexander said in a statement.

The report says most of the issues could be attributed to disagreements about security roles and responsibilities with the various contractors, states and federal agencies that are part of the HealthCare.gov system.

“Someone should be held accountable for this kind of gross mismanagement, and security must be fixed immediately before a major hacking attack does massive damage,” Alexander said.

(Reporting By Krishna Chaithanya; Editing by Ken Wills)