December 11, 2013
The ObamaCare exchange at Healthcare.gov is so insecure that multiple cyber-security experts and lawmakers are calling for it to be shut down. In addition, professionals are warning potential users to beware of the gaping security flaws, which could expose to hackers and criminals the most private and intimate data of Americans trying to buy health insurance through the federal government’s so-called “marketplace.” In other words, the personal and medical information of anyone deciding to use the website — millions of Americans have already lost their insurance policies owing to ObamaCare, Obama’s known lies about “you can keep it” notwithstanding — may end up in the hands of whoever wants it. Identity thieves are among the primary concerns.
Even the federal government’s own agencies have admitted many of the major problems and the potential disasters they could cause if left unaddressed. The vast majority of the public is suspicious as well. Now, some lawmakers and experts, concerned about the possible bonanza for hackers and identity thieves, want to shut down the whole website until proper security measures can be implemented. That, however, is expected to take months to address, at least — possibly more than a year. At that point, the whole ObamaCare scheme would have to be significantly delayed to avoid penalizing people who were not able to purchase ObamaCare-approved insurance before the deadline.
Multiple “state exchanges” for ObamaCare are also vulnerable, according to experts. Even those touted as among the best by administration officials and pro-ObamaCare zealots have been widely lambasted. An investigation by Computer Forensic Services, commissioned by a local ABC affiliate in Minnesota, for example, tested 12 state government-run ObamaCare exchanges. Of those, most were found to have a vulnerability that could reveal users’ account information to hackers. Among those that passed that particular test, there have been also multiple, separate security concerns expressed by experts.
At the federal site, the issues are even more severe. Indeed, security for the controversial site is so poor that top analysts in the field say it appears to have been built without considering user privacy at all. “When you develop a website, you develop it with security in mind. And it doesn’t appear to have happened this time,” explained expert David Kennedy, who recently testified in Congress about the major security problems with the ObamaCare site. Kennedy, who leads the firm TrustedSec and helps test online security by hacking into websites, also explained that the flaws are unlikely to be resolved anytime soon.
“It’s really hard to go back and fix the security around it because security wasn’t built into it,” Kennedy told CNBC. “We’re talking multiple months to over a year to at least address some of the critical-to-high exposures on the website itself.” Despite having already warned lawmakers and the Department of Health and Human Services about the dangers weeks ago, Kennedy said nothing had been fixed. “And this is just the tip of the iceberg,” he warned in an interview on Fox News this week. Three out of four experts who testified in Congress, including Kennedy, suggested the site be shut down until security was dealt with. All four, two academics and two private-sector researchers, told lawmakers the site was not secure.
Among other potential dangers, Kennedy and other cyber-security experts have said that everything from personal information to users’ computers themselves could be vulnerable to being hijacked via the ObamaCare website. Even basic industry standards on security have not been followed, they said. Incredibly, despite strong pressure, the Obama administration also refused to adopt rules requiring federal officials to notify Americans whose private information has been breached via the government health-insurance website. In other words, anyone who uses the ObamaCare site could have their personal data stolen — and never even know about it.
Rep. Mike Rogers (R-Mich.) has gone on the offensive, making the rounds on TV news programs to alert Americans about the dangers and advocate potential solutions. In an interview on Tuesday with Fox & Friends, Rogers even suggested putting the whole scheme on hold until security is improved. “They should shut the site down, get it functioning, and then test it. Vet it,” he said. “Stress test that system security-wise so that we can make sure that … you can eliminate all the vulnerabilities that are possible in a site that is this bad and this confusing.
Despite the major threats to privacy and security, however, the Michigan Republican said Obama was likely to place politics first. “I don’t care if you’re a Republican or a Democrat. If you’re on the website, your information is exposed in a way that you wouldn’t be exposed in the private sector,” he explained, noting that the issue should transcend partisanship. “We ought to fix that. They should fix it. And, they should take ownership to fix it.” Other Republicans are still hoping to stop ObamaCare entirely before its grip around the nation solidifies, rather than tinkering around the edges to “improve” what even top Democrats have called a “train wreck.”
Speaking on NBC’s Meet the Press, Rep. Rogers went on to claim that the “most important part of this discussion that nobody talks about” is that the security mechanisms in place to safeguard Americans’ private health and financial information are so terrible they do “not meet even the minimal standards of the private sector.” Americans, he added, “should not tolerate the sheer level of incompetence securing this site. And remember how much personal information is not only there, but all of the [federal government data] sites that the [Healthcare.gov] hub accesses would expose Americans’ personal information in a way that is breathtakingly bad.”
Those suspicions were confirmed recently during a congressional hearing, but the facts are even worse than that. Lawmakers and a representative of the company that got the no-bid contract to build the website revealed that, despite federal privacy laws, ObamaCare site participants essentially must agree to have “no reasonable expectation of privacy” when it comes to their most private and sensitive information. House Energy and Commerce Committee member Rep. Joe Barton (R-Texas), who was questioning senior vice president Cheryl Campbell at ObamaCare no-bid-contractor CGI Federal Inc., lambasted the company and the lack of privacy while seeking answers about it all.
Campbell, a classmate of Michelle Obama whose company secured the $678 million contract to build the ObamaCare website boondoggle, admitted that she knew the code included the no-privacy warning. However, under strong questioning from an outraged Rep. Barton, the CGI executive said the company was simply doing what it was ordered to do by the Obama administration. Still, the congressman was fuming. “We’re telling every American, including all my friends on the Democrat side … if you sign up for this or even attempt to, you have no reasonable expectation of privacy,” Barton said. “That is a direct contradiction to [federal health privacy law] HIPAA, and you know it.”
Despite administration efforts to downplay the growing privacy and security concerns about the website, even government investigators have come to alarming conclusions. The Treasury Department’s inspector General for tax administration, for example, warned that “critical elements of the security controls failed during testing.” Separately, an audit by the Health and Human Services Department inspector general reported that the administration was far behind schedule in creating and implementing security for the site. “Several critical tasks remain to be completed in a short period of time,” the audit warned. An internal memo from HHS, meanwhile, explained that the “threat and risk potential is limitless.”
The administration, however, like on a broad array of other scandals, continues to pretend as if everything is fine — at least publicly. “The privacy and security of consumers’ personal information are a top priority,” claimed White House spokesman Jay Carney after the congressional hearings with security experts. “When consumers fill out their online marketplace applications they can trust that the information that they are providing is protected by stringent security standards.”
According to a recent survey commissioned by Investor’s Business Daily, however, the administration’s credibility is all but gone — dropping faster than Obama’s record-low approval ratings, especially after the president and Democrats were exposed knowingly lying about being able to keep health insurance plans. Almost eight in 10 Americans, for example, say people should be worried about security on the ObamaCare site, including 70 percent of Democrats. More than half of respondents said Americans ought to be “very concerned” about it. Fears are even more pronounced among younger Americans, whose massive premium hikes are crucial to the functioning of ObamaCare.
Of course, the privacy concerns are not limited to the website. Project Veritas has publicized multiple undercover stings showing ObamaCare operatives conspiring on video to share personal data for nefarious purposes — including tilting elections in favor of “progressives.” Even more alarming than the security concerns, though, are the entire premises behind the federal healthcare takeover. With ObamaCare becoming increasingly unpopular, supporters of limited government, the Constitution, and free markets are still hopeful that the scheme can be stopped. How much damage and suffering will be inflicted before then, however, remains to be seen.
Alex Newman is a correspondent for The New American, covering economics, politics, and more. He can be reached at [email protected].