The year’s two popular subjects, healthcare and security makes an uneasy companion, but with the State Department terminating its contract with the site’s developer’s, CGI Federal, it was only a matter of time until the security gaps started to leak from Healthcare.gov with millions of Americans signed on for national health coverage.
For security researcher, David Kennedy, CEO of TrustTec, the site’s problematic lack of security has always been a problem, and he’s able to prove it. Kennedy was able to gain access to 70,000 records in just four minutes. He could have gotten more data, but at that point, his passive reconnaissance proved what security experts have been saying all along: You can literally just open up your browser, go to this and extract all this information without actually having to hack the website itself.
Kennedy’s disturbing testimony lays out a long road ahead for Healthcare.gov: Out of the issues identified last go around, there has been a half of a vulnerability closed out of the 17 previously disclosed and since my last appearance, other security researchers have also identified an additional 20+ exposures on the site.
Other experts have made similar warning about the type of data available to hackers:
Healthcare.gov retrieves information from numerous third-party databases belonging to the IRS, Social Security Administration, Department of Homeland Security, and other State agencies. It would be a hacker’s wet dream to break into Healthcare.gov and potentially gain access to the information stored in these databases. A breach may result in massive identity theft never seen before — these databases house information on every U.S. citizen!
So while the NSA is busily gathering 200 million text messages every day, Healthcare.Gov is an open door of personal data from every citizen.