On Second Thought, Maybe HealthCare.gov Is at Risk from Heartbleed

It seems like only yesterday that the federal government assured us that none of its big public websites – and especially not HealthCare.gov, the ObamaCare exchange site – were at risk from the Heartbleed security flaw, which can allow hackers to steal passwords and personal data.  

Actually, those assurances came last Friday, April 11, in the form of a blog post from the Department of Homeland Security.  “The government’s core citizen-facing websites are not exposed to risks from this cybersecurity threat,” we were assured by DHS National Cybersecurity and Communications Integration Center director Larry Zelvin, as quoted at Nextgov.

One week later, those promises are no longer operative.  There hasn’t been a confirmed attack on HealthCare.gov… but the Administration just told every single user to change their passwords, just to be on the safe side.  

So they were… shall we say… speaking in haste when they assured us last week that absolutely no chance of Heartbleed vulnerability existed.  But you can totes believe them now when they say they’re conducting a review and want millions of users to change their passwords from “an abundance of caution.”

The Associated Press reports:

Senior administration officials said there is no indication that the healthcare.gov site has been compromised and the action is being taken out of an abundance of caution. The government’s Heartbleed review is ongoing, the officials said, and users of other websites may also be told to change their passwords in the coming days, including those with accounts on the popular whitehouse.gov petitions page.

The Heartbleed programming flaw has caused major security concerns across the internet and affected a widely used encryption technology that was designed to protect online accounts. Major internet services have been working to insulate themselves against the problem and are also recommending that users change their website passwords.

Officials said the administration was prioritising its analysis of websites with heavy traffic and the most sensitive user information.

A message that will be posted on the healthcare website starting on Saturday reads: “While there’s no indication that any personal information has ever been at risk, we have taken steps to address Heartbleed issues and reset consumers’ passwords out of an abundance of caution.”

A reminder: nothing short of a congressional subpoena would ever make this Administration admit that HealthCare.gov has been hacked, and they’d probably fight such a subpoena until (and unless) the bad press from stonewalling became unbearable.  They will never admit to a security breach in this system, because they’re terrified of driving away potential ObamaCare enrollees – especially the young ones who would be likely to react strongly to a security breach.


Please let us know if you're having issues with commenting.