“These included insufficient encryption and inadequately configured firewalls, among others,” said the report from the investigating arm of Congress. “In September 2015, GAO reported these results to the three states, which generally agreed and have plans in place to address the weaknesses.”
Ricardo Alonso-Zaldivar and Frankfort-based Adam Beam of The Associated Press report, “Vermont authorities would not discuss the findings, but officials in California and Kentucky said this week that there was no evidence hackers succeeded in stealing anything.”
The report said the federal Centers for Medicare and Medicaid Services, which oversees the exchanges, had not fully implemented its oversight of their security and privacy protections.
“The GAO report examined the three states’ systems from October 2013 to March 2015 and released an abbreviated, public version of its findings last month without identifying the states,” AP reports. “Thursday, the GAO revealed the states’ names in response to a Freedom of Information [Act] request from the AP. According to the GAO, one state did not encrypt passwords, potentially making it easy for hackers to gain access to individual accounts. One state did not properly use a filter to block hostile attempts to visit the website. And one state did not use the proper encryption on its servers, making it easier for hackers to get in. The report did not say which state had what problem.”
Steve Beshear, who was governor until early December, told AP through a spokeswoman that “because of the time required to fix the technical issues, not all those issues had been addressed” when Republican Gov. Matt Bevin took over. “It is important to note that there were never any security breaches of any kind, and no one’s information was ever compromised.”
Doug Hogan, spokesman for the Cabinet for Health and Family Services, told AP the fixes “are in various stages of completion and implementation” and security is “of the utmost importance” to the Bevin administration.
Bevin is dismantling Kentucky’s exchange, which Beshear branded as Kynect, and planning to transfer the 93,000-plus people who used it to buy federally subsidized policies to the federal exchange, Healthcare.gov.
“But Kentuckians’ information might not be any safer on the federal exchange,” AP reports. “According to the GAO report, Healthcare.gov had 316 security incidents between October 2013 and March 2015. Such incidents can include unauthorized access, disclosure of data or violations of security practices. None resulted in lost or stolen data, but the GAO said technical weaknesses with the federal system ‘will likely continue to jeopardize the confidentiality, integrity and availability of Healthcare.gov.'”