NEW YORK (MainStreet) While attempting to complete an application for health insurance on Healthcare.gov for his granddaughter, Ben Simo, a Gilbert, Ariz. software tester, encountered not only a sluggish, glitchy site with account creation issues, but a number of security concerns, as well.
"I identified a series of steps that could be easily automated to collect usernames, password reset codes, security questions, and email addresses from the system -- without any kind of authentication," Simo posted on his blog.
Simo reported the issues to Healthcare.gov's customer service and the Centers for Medicare and Medicaid Services (CMS) patched "the most serious hole" the same day.
"While I am appalled that the issue existed in the first place, I applaud the quick response," Simo wrote.
The issues with the website have been so persistent from the outset that Consumer Reports warned users in mid October to "Stay away from Healthcare.gov for at least another month if you can. Hopefully that will be long enough for its software vendors to clean up the mess they've made."
While some of the initial security concerns reported by Ben Simo have been corrected, he still worries about other data risks lurking on the site.
"Both Secretary Kathleen Sebelius and Andy Slavitt, an executive VP at QSSI, the company tasked with fixing Healthcare.gov, have downplayed security concerns," Simo writes. "They have suggested that personal information is not at risk because The Hub, the Healthcare.gov front end, does not store information; but rather, transports information. A system is only as secure as its weakest link.
If front-end security is poor, then no amount of back-end security can protect information passing through the front end."
Simo says that even if the site doesn't store information, it does return the personal data to the user's browser. He says that information can include a user's name, address, date of birth, phone number, and Social Security number.