HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HealthCare.gov Security Vulnerability Critical, Says OIG

A “critical” HealthCare.gov security vulnerability has been discovered which could potentially be exploited by hackers looking to gain access to highly confidential data, according to the Department of Health and Human Services’ Office of the Inspector General.

The government’s team of ethical hackers were let loose on the HealthCare.gov website, and discovered a critical weakness in its otherwise robust security features. The team used standard techniques known as vulnerability scanning, which simulate an attack by malicious outsiders. The scans therefore assessed security vulnerabilities that could realistically be exploited by external hackers. The team of “white hat” hackers discovered the vulnerability, although they were not able to exploit it to gain access to data due to a range of other security defenses installed to safeguard stored data.

The HealthCare.gov website is the gateway to taxpayer-subsidized health plans and is used by 36 states, with those health plans subscribed to by millions of Americans. The data potentially accessible through the site is extensive. The site is therefore an attractive target for criminal hackers, who seek Social Security numbers, insurance information and personal data of health plan members in order to commit identity theft and insurance fraud.

The government has implemented a number of security controls to protect consumer data in recent months and has addressed several of the website’s security risks; however the encryption technology used to protect the site was found to fall short of the government’s own encryption standards. The response to the criticism over the encryption used was that other measures had been put in place to increase security.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Over the summer, the HealthCare.gov website was targeted by malicious hackers who managed to install malware which, had it not been discovered, could have been used to launch an attack that would have allowed the perpetrators to gain access to consumer data. As it was, no consumer data was exposed in the attack.

Security controls on the website will continue to be monitored, and the Department of Health and Human Services will similarly test for security vulnerabilities to ensure that any other security issues are discovered and addressed.

The website was not the only portal to be scanned for security holes. The government’s ethical hackers also tested security on two other websites: The small-business portal used in New Mexico was found to contain 64 security vulnerabilities, although the website used in Kentucky was determined to be secure.

MIDAS Database Security Flaws Addressed


The government’s MIDAS database (Multidimensional Insurance Data Analytics System) stores a vast amount of consumer insurance data and Personally Identifiable Information, in addition to Social Security numbers, passport numbers, and financial information of many millions of Americans. Late last year the database was audited by the OIG and was found to contain a number of basic security weaknesses, which potentially put all stored data at risk.

The OIG report indicated 22 high risk vulnerabilities were present, 62 medium-risk security flaws and 51 low-risk vulnerabilities. Data was also set to be stored indefinitely, and the database is therefore a potential goldmine for hackers. The OIG recommended that a limit be placed on the length of time data were stored, with 10 years recommended. Generic user accounts were found to be active, user sessions were not encrypted, automatic vulnerability tests were not performed, and insufficient controls were present to log who accessed the data stored in MIDAS.

According to a report issued by the Centers for Medicare & Medicaid Services, all of the security vulnerabilities identified by the auditors were addressed earlier this year.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.