Ben Simo’s analysis of data sent by HealthCare.gov to analytics providers shows information that could be used to hijack a user’s account. Ben Simo, Is There A Problem Here? Apparently, HealthCare.gov isn’t just having a few backend problems.

A software quality researcher studying the besieged online health insurance exchange has discovered a number of issues that could expose the personally identifiable information of applicants to third parties and leave that information vulnerable to attacks by hackers. Those problems may be in part due to the long-delayed security testing of the entire integrated exchange system, which was put off as last-minute development work that was done to ready the site for launch. Recently published internal government documents indicate that the site was only given provisional security approval before launch because a substantial amount of testing had not been completed just days before the site’s October 1 launch date.

The problems uncovered by researcher Ben Simo hint at how slapdash some of the coding done to integrate the site was.

He found personally identifiable information embedded both in Web addresses sent to reset user passwords and in data being sent to third-party sites not directly involved in the health insurance certification process.

HealthCare.gov’s website also pushes personal data having nothing to do with site functionality back to browsers.

While that data is sent over an encrypted connection, it could be vulnerable to exploits targeting HealthCare.gov users. 0     

Leave a Reply