Published November 21st, 2013 at 1:04 PM EST , modified November 21st, 2013 at 1:04 PM EST
This is not a Mac-specific issue, but it’s important. The now-infamous Healthcare.gov website has more problems up its sleeve. Notably, it is shockingly insecure, and data that has been entered there may not be safe. I strongly advise people to exercise extreme caution with the site, and would highly recommend not using it at all, until some unknown time in the future when the problems have been fixed.
Before proceeding any further, I feel that it is important to reveal my biases. I feel very strongly that the Affordable Care Act is poorly thought out and destined to be a drawn-out, expensive and messy failure. Since this blog is not a political platform, I prefer not to discuss such things here. However, this is a topic rooted in politics, and thus it’s only fair to the reader to admit to my thoughts on the matter.
If this bias means that you cannot trust the objectivity of this article, I fully understand. In that case, I would recommend that you see the additional news sources at the end of this article. If nothing else, at least read the Congressional report prepared by David Kennedy, CEO of TrustedSec, who was one of several security professionals tasked with evaluating the security of the site. That report can be found here:
In a nutshell, this document describes a number of different security issues with the site. Issues include things like unacceptable disclosure of personal information (some of which is available with nothing more than a simple Google search), redirection weaknesses that could be utilized in phishing attempts, vulnerabilities that could allow access to or modification of data in the site’s databases, and vulnerabilities that could allow an attacker to upload malicious content to the site or load malicious content within a page on the site. Basic security of the interface has been ignored to the extent that it is trivial for a brute-force attack to gather a list of valid user names, which could then be attacked by brute-force to gain the password.
These are very serious problems. They could lead to hackers gaining access to accounts or accessing user data through vulnerabilities, and makes phishing scams much more believable. More frightening, though, are the critical vulnerabilities mentioned in the report that could not be responsibly disclosed. Given the seriousness of what was exposed, the imagination goes to a very dark place when contemplating what was too bad to expose!
For these reasons, I strongly advise not creating an account on the Healthcare.gov site for a while. How long it will be until the site is safe is hard to say, but it could be a very long time, from what the conclusion of Kennedy’s report implies. In the meantime, if you need to access these services, use one of the alternate methods listed in the Healthcare.gov Contact Us page, such as a simple phone call to one of the provided 1-800 numbers.
If you already have an account with personal information on the site, I honestly don’t know what to tell you. I have not used the site, as my current health plan is still good under the ACA, so I don’t know whether it is possible to remove personal information or delete an account, and what effects that may have on your health insurance. I would recommend that you contact someone through one of the methods at the HealthCare.gov Contact Us page. Express your concerns and ask about your options for removal of personal information from the site.