Cyber security professionals have warned that the US government's HealthCare.gov website is not safe from hackers, three months after oversights had already been flagged up.
David Kennedy of security consultants TrustedSec told Reuters that the service – informally dubbed "Obamacare" – has not corrected 20 gaps in security in the system that he and other security professionals alerted the government to soon after the service went live at the start of October 2013.
Obamacare is designed to serve 36 states across the US, and has already been besieged by technical errors since launch, going so far as to damage its namesake president's reputation.
Kennedy alleges that hackers can easily access personal customer information, change data that exists on the servers and even find access routes through the HeathCare.gov servers to the endpoints through which customers are accessing the site.
Kennedy is to offer his concerns to the House Science, Space and Technology Committee later today, and has described what he has to impart as "alarming".
Kevin Johnson, another expert who analysed Kennedy's findings, went as far as calling the site "fundamentally flawed". Kennedy himself reported a specific flaw in which he said he was able to extract 70,000 customer health records from the site within four minutes simply by writing a simple computer program to automate the process.
Kennedy said he did even have to directly hack the site to carry out the transaction, as all the records were available on the internet, rather than stored on secure servers.
However, the federal agency that oversees the site, the Centers for Medicare and Medicaid Services, also told Reuters that, to date, "there have been no successful security attacks on HealthCare.gov", and that no "person or group has maliciously accessed personally identifiable information" on the site.
While claiming security testing is conducted to "industry best practices" on an "ongoing basis", the agency did not directly deny Kennedy's claims, and has said it takes the matter seriously.
This paper seeks to provide education and technical insight to beacons, in addition to providing insight to Apple's iBeacon specification
Focus on cost efficiency, simplicity, performance, scalability and future-readiness when architecting your data protection strategy