WASHINGTON–A new GAO report suggest that HealthCare.gov was the target of more than 300 security incidents during an 18-month period, but also notes there is no evidence cyber-crooks have penetrated the site or obtained any personally identifiable information (PII).
The GAO said the site, better known as Obamacare, should make a number of security and privacy control enhancements. In all, from October 2013 through March 2015, the GAO said there were 316 different incidents related to attempts to breach HealthCare.gov’s security.
"The majority of these incidents involved such things as electronic probing of CMS systems by potential attackers, which did not lead to compromise of any systems, or the physical or electronic mailing of sensitive information to an incorrect recipient," the report states.
GAO said it found only one incident that "involved a confirmed instance of an attacker gaining access to a HealthCare.gov-related server, and in that case it was a test server that contained no PII.
GAO, acknowledging steps have been taken to improve security, identified these weaknesses:
- Insufficiently restricted administrator privileges for data hub systems.
- Inconsistent application of security patches.
- Insecure configuration of an administrative network.
The GAO also says it identified additional weaknesses in technical controls "that could place sensitive information at risk of unauthorized disclosure, modification or loss."