Insecure healthcare.gov allowed hacker to access 70,000 records in 4 minutes

When it comes to the atrocious state of HealthCare.gov security, white hat hacker David Kennedy, CEO of TrustedSec, may feel like he’s beating his head against a stone wall. Kennedy said, "I don't understand how we're still discussing whether the website is insecure or not. It is; there's no question about that." He added, "It is insecure - 100 percent."

Kennedy has continually warned that healthcare.gov is insecure. In November, after the website was allegedly “fixed,” he told Congress it was even more vulnerable to hacking and privacy breaches. Before Thursday's congressional hearings, Kennedy wrote, “Out of the issues identified last go around, there has been a half of a vulnerability closed out of the 17 previously disclosed and since my last appearance, other security researchers have also identified an additional 20+ exposures on the site.”


Last week, Kennedy testified again about holes in healthcare.gov that could allow hackers to access personal information like names, social security numbers, email addresses, home addresses and more. And because other government sites like DHS and IRS are integrated into healthcare.gov, for verification purposes, hackers could also access those other government sites and create an online profile for practically anyone in the system.


Then yesterday, after explaining “passive reconnaissance, which allows us to query and look at how the website operates and performs,” Kennedy said he was able to access 70,000 records within four minutes! It was “a rudimentary type attack that doesn't actually attack the website itself, it extracts information from it without actually having to go into the system.”

Kennedy also told Fox News Sunday, “70,000 was just one of the numbers that I was able to go up to. And I stopped after that. You know, and I'm sure it's hundreds of thousands, if not more and it was done within about a four-minute time frame. So, it's just wide open. You can literally just open up your browser, go to this and extract all this information without actually having to hack the website itself.”
[…]