Security flaws found in 3 state health insurance websites

Federal investigators have discovered major security vulnerabilities in the state health insurance websites for California, Kentucky and Vermont that could allow criminals to access sensitive personal data for hundreds of thousands of people.

The Associated Press reports that some of these security flaws remain active and unpatched.

The vulnerabilities were discovered by the Government Accountability Office, the investigative arm of Congress, and shared with state officials last September. Vermont authorities would not discuss the findings, but officials in California and Kentucky said this week that there was no evidence hackers succeeded in stealing anything.

Regulators said that given the number of weaknesses they discovered in just the three states studied, other state-run health insurance exchanges could be vulnerable, too. The GAO recommended the federal government continually monitor cybersecurity at such sites.

The state exchanges were created under President Barack Obama's health care initiative. People who lack health insurance through an employer can buy government-subsidized private coverage through these sites. A dozen states are now running their own online insurance exchanges. The rest of the U.S. either switched to the federal site, or jointly operate exchanges with Washington.

More on how the story came out, from the AP:

The GAO report examined the three states' systems from October 2013 to March 2015 and released an abbreviated, public version of its findings last month without identifying the states. On Thursday, the GAO revealed the states' names in response to a Freedom of Information request from the AP.

According to the GAO, one state did not encrypt passwords, potentially making it easy for hackers to gain access to individual accounts. One state did not properly use a filter to block hostile attempts to visit the website. And one state did not use the proper encryption on its servers, making it easier for hackers to get in. The report did not say which state had what problem.