HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

California, Kentucky and Vermont Health Exchange Security Flaws Placed Data at Risk of Exposure

An investigation conducted by the Government Accountability Office revealed “significant” cybersecurity vulnerabilities existed in all three state health exchanges studied: California, Kentucky, and Vermont. Those vulnerabilities could have potentially been exploited by hackers to gain access to the sensitive data of hundreds of thousands of Americans.

Only three state health insurance marketplaces were investigated out of the 12 states that run their own health insurance exchanges, although with all three found to have serious vulnerabilities it is likely that the other 9 states may also be vulnerable to cyberattacks.

The GAO report was compiled following an investigation conducted between October 2013 and March 2015. While the report was published last year in an abbreviated form, the states that were investigated were not named. This week the GAO revealed the states to the Associated Press after a request was filed under the Freedom of Information Act.

Some of the security vulnerabilities have now been addressed but a number still remain. The report did not disclose details of the vulnerabilities on each state website, although some of those vulnerabilities include the failure to block hostile visits to the websites, a lack of proper encryption on servers, and the failure to encrypt passwords. The latter security flaw would make it a relatively easy hack to obtain access to individual user accounts.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Since learning of the security flaws action has been taken to address the issues and security has been improved. California has addressed all but four of the 41 security issues discovered by GAO auditors. One vulnerability cannot be addressed as it would contravene state laws. The other three issues were technical security recommendations which Covered California disagreed with.

Vermont claimed that appropriate controls have been put in place to meet federal standards, and the insurance exchange has changed vendors since the audit was conducted.

The Kentucky exchange has corrected some of the security vulnerabilities, but the technical security recommendations have taken some time to implement and consequently some have yet to be addressed. However, due to the cost of running the exchange, Kentucky’s exchanged will be shut down and existing state residents will be transferred to the Healthcare.gov site later this year.

Spokespersons for both California and Kentucky pointed out that while security vulnerabilities did exist, neither state agency had experienced any data breaches as a result of those vulnerabilities being exploited.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.