The website was supposed to provide easy access to a menu of government-subsidized coverage options under President Barack Obama’s health care law. Administration officials say they remain confident it is secure.
“When consumers fill out the online application, they can trust that the information they’ve provided is protected by stringent security standards and that the technology underlying the application process has been tested and is secure,” Medicare administrator Marilyn Tavenner assured the Senate’s Health Committee on Tuesday.
But a short while later, Tavenner acknowledged the Carolinas security breach. “We actually were made aware of that” Monday, she said in response to a question from Sen. Johnny Isakson, R-Ga. “We implemented a software fix.”
It was not immediately clear how the North Carolina man was able to view the personal information of the man in South Carolina. However, a vulnerability that has afflicted websites for years is known as “horizontal privilege escalation,” in which a legitimate user of a website slightly alters the string of random-looking characters in the website’s address or inside downloaded data files known as “cookies,” causing the system to display information about the accounts of other users. It can be protected against by a well-designed website.
The administration has declined to explain what happened and how the problem was fixed. A Health and Human Services department official, speaking on condition of anonymity to discuss operations, said they have no evidence such a scenario was involved.
Tavenner, a respected former hospital executive, has emerged as a key cybersecurity decision-maker for the health care law. Her agency, the Centers for Medicare and Medicaid Services, is charged with carrying out the Affordable Care Act.
According to federal law and policy, all government computer systems must have a security certification before going live.