Another ObamaCare security breach reported in Vermont
No one should be using Healthcare.gov – it’s an insecure disaster whose reach into several other secure government computer systems makes it a national security risk, and a personal security free-fire zone. God alone knows what hackers have already done to the poorly written, easily exploited system, or what havoc they’re poised to wreak if the famously weak ObamaCare enrollment numbers tick up a bit, and make mischief worth their while.
Meanwhile, the system has an alarming propensity to violate the security of users’ personal information all by itself, even when hackers haven’t gotten involved yet. There have been several reported cases of people logging into the system and seeing the personal information for other users, or being sent files full of sensitive data by the ObamaCare bureaucracy. And it’s not just the federal exchange website – these alarming snafus have been happening to state exchanges too, perhaps due to their interaction with the ludicrous federal system.
The Burlington Free Press brings us the story of yet another security breach, in which an apparently conscientious citizen was mailed somebody else’s personal data, including their Social Security number, and decided to forward it to the victim with a warning:
A report from state to federal officials overseeing the health insurance exchanges set up under the Affordable Care Act said a consumer reported the incident with the Vermont Health Connect website on Oct. 17.
The consumer, whom officials would not identify, reported that he received in the mail — from an unnamed sender — a copy of his own application for insurance under the state exchange.
“On the back of the envelope was hand-written ‘VERMONT HEALTH CONNECT IS NOT A SECURE WEBSITE!’ This was also (written) on the back of the last page of the printed out application,” said the incident report.
This actually happened last month, but of course we’re only learning about it now… and only because the Associated Press pried the information from the bureaucracy’s grip using Vermont public records law. Not only did the state government fail to disclose this security breach when it occurred, they actively lied to conceal it:
Mark Larson, commissioner of the Department of Vermont Health Access, said the incident described in the report was the only one of its kind since Vermont Health Connect launched Oct. 1. He said technical changes had been made in the way the system handles user names and passwords.
“This was one case and it was responded to appropriately,” Larson said, adding that the department’s main concern is data security and making sure the “unique circumstances” that led to the breach cannot be replicated today.
During a meeting of the House Health Care Committee on Nov. 5, Rep. Mary Morrissey, R-Bennington, asked Larson to comment on information she had received about a security breach or breaches on the system. Larson said his department had investigated one such complaint and it had proven unfounded.
Morrissey said Friday she was disturbed to hear now that the department had reported a breach to CMS more than two weeks earlier.
What’s even more disturbing is to wonder how many other incidents the governments of various states, and the train-wreck engineers in Washington D.C., are keeping quiet until reporters overcome the necessary legal challenges to force them into the open. There is clearly no reason to take anyone involved in the ObamaCare debacle at their word – they lie about everything, conceal damaging information from both the public and other government officials, and seem entirely focused on surviving one news cycle at a time, deferring bad news for as long as possible to keep the ugly headlines from reaching critical mass.
It’s increasingly clear that Healthcare.gov won’t meet the promised November 30 deadline for relaunch with near-total operating capacity. But if the online system ever does improve enough to allow a surge of applicants to get past the front end of the system, they’ll be walking into a data security nightmare, made all the worse by the incontrovertible fact that none of the hasty last-minute fixes could possibly have been tested for either hacker protection, or the kind of self-generated data integrity breach administrations don’t want to discuss, until freedom of information laws force them to.