Obamacare faced more than 300 security incidents over an 18-month span, the government’s top watchdog said Wednesday in a report finding the federal HealthCare.gov website is still riddled with vulnerabilities behind the scenes.
The Government Accountability Office said some of the incidents were attacks by hackers poking to find weaknesses, though investigators do not think they were able to steal any critical personal information such as birth dates or Social Security numbers.
Congressional Republicans said the report, coming on the sixth anniversary of enactment, is the latest indication that President Obama’s health law needs to be scrapped.
The massive HealthCare.gov project stumbled upon launch in October 2013, regaining its footing only after the administration pumped tens of millions of dollars into a major revamp that corrected the front-end experience for users.
GAO investigators, though, said Wednesday that the system’s inner plumbing still needs work to make sure only those who are authorized can gain access to the data hub, and that the network is defended against hackers.
“Although CMS continues to make progress in correcting or mitigating previously reported weaknesses within Healthcare.gov and its key supporting systems, the information security weaknesses found in the data hub will likely continue to jeopardize the confidentiality, integrity, and availability of Healthcare.gov,” the report said.
SEE ALSO: Birth control carve-out in Obamacare splits the Supreme Court
The administration said 41 out of 316 incidents involved personally identifiable information that was either improperly secured or exposed to an unauthorized person.
GOP chairmen of House and Senate committees told the Health and Human Services Department to explain what happen in those cases and if the affected HealthCare.gov users were notified.
“If HHS did not inform affected individuals, we urge you to change that policy immediately,” the chairmen wrote.
The GAO also said it found significant weaknesses in the security controls at three state-operated exchanges under Obamacare.
Twelve states, plus D.C., operated their own portals, though the GAO did not name the states it examined. Investigators said CMS’ requirements for state testing are neither continuous nor comprehensive.
In a written response, HHS said the security and privacy of consumers is a “top priority” and that it is committed to “continuously improving” its systems.
SEE ALSO: Hillary Clinton attacks ‘loose cannons’ Trump, Cruz over ISIS strategy
“HHS has taken significant steps and implemented robust security controls to protect the security and privacy of the systems and connections supporting HealthCare.gov, including the Hub,” wrote Jim Esquea, assistant HHS secretary for legislation.
He also said HHS will develop specific oversight procedures to ensure that states are continuously monitoring the security of their own exchanges.
• Tom Howell Jr. can be reached at thowell@washingtontimes.com.
Please read our comment policy before commenting.