A web portal used by Americans to apply for and monitor health coverage under the Affordable Care Act endured hundreds of hacking attempts over a period of 18 months, a report from the Government Accountability Office (GAO) has revealed.
The in-depth analysis said that none of the targeted attacks against HealthCare.gov were successful in stealing sensitive user data such as names, addresses, financial information or social security numbers (SSNs) but did highlight a number of security concerns that could potentially be exploited in the future.
According to the 55-page report, most of the incidents involved hackers 'probing' the security of the Obamacare website and its databases looking for weaknesses. All of the attempted intrusions noted in the report took place between October, 2013 and March, 2015. Of the 316 incidents, 41 involved personal information that was not properly secured or was exposed to an unauthorised member of staff.
The GAO, which is a non-partisan and independent watchdog, found flaws in how the Centres for Medicare and Medicaid Service (CMS) – the federal agency that runs the website - protects a key 'data hub' that is used to transfer sensitive personal data between various federal departments such as the Internal Revenue Service (IRS) and Homeland Security.
The GAO raised concerns about how the agency was not consistently patching systems and not sufficiently restricting administrator privileges for access to the computer network.
"Although CMS continues to make progress in correcting or mitigating previously reported weaknesses within Healthcare.gov and its key supporting systems, the information security weaknesses found in the data hub will likely continue to jeopardise the confidentiality, integrity, and availability of [the HealthCare.gov website]," the report noted.
"The information that is transferred through the data hub will likely remain vulnerable until the agency addresses weaknesses pertaining to boundary protection, identification and authentication, authorisation, encryption, audit and monitoring, software updates, and configuration management."
The concerns will likely be urgently addressed as federal computer systems located in high-profile departments – from the Office of Personnel Management (OPM) to the Department of Justice (DoJ) - continue to face persistent cyberattack attempts. Most recently, a hack against the networks of the Department of Homeland Security (DHS) resulted in the loss of nearly 30,000 federal employee records, 20,000 of which reportedly named FBI agents.