Printed from http://www.electronista.com

Researcher: Heathcare.gov site still flawed, leaks personal data

updated 08:36 pm EST, Tue January 21, 2014

Using advanced Google search, users' private information from site accessible

According to TrustedSec's chief executive David Kennedy, the security issues it reported to Congress haven't been rectified following the December re-launch of the US government's healthcare site, Healthcare.gov. To wit, the group was able to discover at least 70,000 records with personal information including full names, addresses, user names, and in some cases, social security numbers, just by using an advanced Google search. To date, the company claims, the flaws allowing this exploit and others have not been fixed.

The CEO notes that "there are a number of other [problems] that have been reported privately that continue to expose users of the healthcare.gov website. It appears that the release and launch date of the website was purely on the functional levels, not that of the security."

In a blog post by the researcher this week, he noted that the group performed "no 'hacking' or 'cracking' at all on the website. We didn't test for SQL Injection, run scanners, port scan the website, or even modify input parameters. Anything of that sort is offensive, and not within my rights or am allowed to perform. We did no active testing, or attempt to expose sensitive information or bypass any security mechanisms on the site." Nevertheless, the group was able to extract 70,000 users' personal information "using basic Google search terms and browsing through a web browser." No actual medical or healthcare-related information was discovered through the Google searching of the site, as no medical records of treatment are stored on the site.

Since the original Congressional testimony, Kennedy noted that the Department of Health and Human Services has "hired respectable companies to perform testing ... the hope is that they given enough time and are allowed to perform full scope assessments, including source code analysis, and dynamic testing." Unfortunately, he claimed in this week's blog post that "to what extent this testing has occurred is an unknown, but the fixes haven't been put in place from what we can see."



By Electronista Staff
Post tools:

TAGS :

toggle

Comments

  1. prl99

    Dedicated MacNNer

    Joined: 03-24-09

    Great, now hackers will go after the web site in full force. Thanks for telling everyone about the web site's problems before they can be fixed.

  1. GopherAlex

    Fresh-Faced Recruit

    Joined: 06-23-06

    When Apple's developer portal got cracked, they pulled the whole site offline and only redeployed it after it had been fixed for good. It was offline for over a week, if I remember.

    The U.S. government apparently operates according to different... standards. Pre-alpha quality code, private health information just a google search away, no cracking required? Ehhh.... we're working on it.

  1. chas_m

    MacNN Editor

    Joined: 08-04-01

    To be fair, this is very new territory for the US (most other countries did all this *years* ago, but then most other countries don't have 330 million people to serve). Any student of history will tell you that other very successful government programs (VA, Post Office, Social Security, Medicare) also had rocky starts (often with active sabotage by the opposing political party).

    Certainly, we need to call the White House and DHS urge them to close these gaps and problems, to make security just as important as functionality -- but let's also keep a little perspective: how safe do you think your private medical records are in the hands of for-profit health insurance companies?

  1. Spheric Harlot

    Clinically Insane

    Joined: 11-07-99

    I don't know about "most other countries" having done this "years ago".

    Most other countries have solutions to health insurance that date back to decades before anyone would have imagined to implement a stupidly high-tech method. Whee, interwebs!

    If I wish to switch health insurance companies, I write an email or call, and am sent a contract PDF via email that I print out, sign, and snail mail back.

    This sounds arcane, but it a) ****ing WORKS, and b) probably costs an order of magnitude less than this fiasco.

  1. Mr. Strat

    Junior Member

    Joined: 01-23-02

    This government takeover of the health care system is not starting off well and will end up even worse. Even if they get the tech end straightened out, the end result will be poorer quality of care that is expensive and rationed.

    Hope & change, baby!

  1. Spheric Harlot

    Clinically Insane

    Joined: 11-07-99

    Originally Posted by Mr. StratView Post

    This government takeover of the health care system is not starting off well and will end up even worse. Even if they get the tech end straightened out, the end result will be poorer quality of care that is expensive and rationed.



    Just like everywhere else in the free world, right?

    Jeez, Americans. Takes them a century to catch up with civilization, and then they need to reinvent it and botch it up completely in the process.

    And then there's people like you, which just crowns the whole ridiculous affair.

    We'll see you in thirty years, when your grandkids just laugh at you incredulously.

  1. xomniron

    Fresh-Faced Recruit

    Joined: 10-17-13

    The (un)Affordable Healthcare Act is indefensible on many levels. It is financially unsustainable, despite the creative accounting required to get it passed in Congress. It is more expensive for individuals and, in fact, more people are uninsured now than before it was implemented. Fact. Add to that this EPIC FAILURE of the healthcare.gov web site -- with its $350+ million budget, BTW -- is as embarrassing as it is incompetent. People should be losing their jobs over this, including Kathleen Sebelius -- yet, to date, no one involved with this debacle has even been reprimanded. And these are the people who will be running the healthcare system? It won't take 30 years to realize the ACA is a bad law that is poorly implemented. Historians will not treat Mr. Obama, Ms. Sebelius, and the Democrats kindly over this one.

    The rationing and death panels imposed by gov't bureaucracy is a topic for another forum, but you cannot deny that will happen. There will never be enough money, just like every other gov't-run program -- VA, Post Office, Social Security, and Medicare. Their starts-up may have been rocky, but nothing like this.

    I am opting out. I'll take the tax penalty. And I'll pay cash for any medical care. There is no way I'm going anywhere near this thing.

  1. Spheric Harlot

    Clinically Insane

    Joined: 11-07-99

    You do realize that being able to opt out negates virtually everything you've been criticizing?

    Rationing and death panels are moronic propaganda that become completely meaningless when your next sentence states how they don't apply.

    It's especially funny in the light of the current situation, where cash-only dictates who lives and who dies, and who goes bankrupt surviving.

  1. Flying Meat

    Dedicated MacNNer

    Joined: 01-25-07

    @GopherAlex: "private health information just a google search away"
    I note that the article specifically does NOT say private health information was exposed.
    Where did you get the "private health information" reference from?

  1. xomniron

    Fresh-Faced Recruit

    Joined: 10-17-13

    "Rationing and death panels are moronic propaganda that become completely meaningless when your next sentence states how they don't apply."


    Moronic? No, Moronic is denying that health care will not be rationed under this ACA system. Under private insurance (or even pre-ACA group insurance), if a 90-year-old person needs a hip replacement, he or she could expect it to be done in a timely manner. What will happen when the gov't is running this? One needs only look to Canada or England to see -- too old, not worth the cost, wait 3 years ...or take the blue pill and go home.

    "Don't apply?" Because I said I'd pay cash if I had to? Cash-only is obviously not a long-term solution. My point was I'm choosing to stay away from the healthcare.gov web site as the primary method of ACA implementation. I'm not alone in the choice. I will try to wait until something more sustainable, more secure, and actually rational replaces it. Your comment was disingenuous. Rationing and death panels will exist, if not already. And it applies to ALL of us, because the gov't is now in control of who gets medical care and who doesn't. Do not doubt that.


    As usual, Spheric, you resort to name calling when someone doesn't agree with you. But even you have to agree this is a piss-poor way to implement the ACA law. This web site is only the tip of the iceberg of the problems. Those running it won't even tell us how many people have signed up. They can't even say how many have actually paid the premium.


    How did this site get built without any analytics to track its use?

  1. Spheric Harlot

    Clinically Insane

    Joined: 11-07-99

    Maybe it's not entirely silly. It just looks that way from here.

  1. Flying Meat

    Dedicated MacNNer

    Joined: 01-25-07

    And you're still not comparing the downside of the pre ACA system to the stated goals of the ACA system, xomniron.

    The most expensive healthcare system, out of the reach of millions, vs. the ACA.
    They have reported signup rates.
    While not specific stated as ACA program activity, this has some information covering the time frame in question:
    http://aspe.hhs.gov/health/reports/2014/MarketPlaceEnrollment/Jan2014/ib_2014jan_enrollment.pdf

  1. Flying Meat

    Dedicated MacNNer

    Joined: 01-25-07

    Then of course there is this:
    https://www.healthcare.gov/blog/millions-transitioning-to-coverage/

    or this:
    http://articles.latimes.com/2013/nov/18/nation/la-na-obamacare-increase-20131119

    I've cherry picked, of course, but I presume you do the same...

  1. xomniron

    Fresh-Faced Recruit

    Joined: 10-17-13

    Stated goals like, "If you like your insurance, you can keep your insurance. Period." Or, "Premiums will drop an average of $2,500." Those goals? Mr. Obama flat-out lied to us about it. That's fact, not cherry picking. He has moved the goalposts on the ACA implementation so many times, no one knows what to expect anymore.


    I submit that the stated goals of the ACA will never be realized and it is going to cost taxpayers A LOT MORE to support this thing than anyone is willing to admit. Pre-ACA health care costs are going to look like a pretty good deal before Mr. Obama ends his second term. Too bad we won't be revisiting this at that time to see who was right.

    A lot of people have lost their insurance under this ACA system.

  1. Flying Meat

    Dedicated MacNNer

    Joined: 01-25-07

    For most people, they could, and do keep their current insurance. If a company decides their employees must be summarily dropped from their current coverage, well... It would be interesting to determine why that happens. ACA does not require it unless the coverage is demonstrably poopie comparatively. Even then, there is/was a manageable time frame for notification and subsequent implementation.
    Commoditization typically results in lower prices (and arguably lower quality) so time will tell what happens to prices and availability of health services. It's a bit early to declare "I told you so."

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

Sponsor

Recent Reviews

Adesso Compagno X Bluetooth keyboard

The shift from typing on physical keyboards to digital versions on smartphones and tablets hasn't been an easy for many consumers. Fro ...

Polk Audio 4 Shot headset

Sound quality and design are two of the biggest areas of focus for manufacturers when coming up with a new gaming headset. Depending o ...

Patriot Supersonic Phoenix USB 3.0 drive

USB thumb drives aren't the end all solutions for data transfer and traveling needs. Sometimes people want something with a little mor ...

Sponsor

toggle

Most Commented

 
toggle

Popular News