Obamacare Website Has Never Been Breached, Waxman Says

The Obama administration told Congress two days ago that the federal government’s health insurance enrollment system has never been hacked, countering Republican claims that users’ information might be at risk.

There have been 32 “information security incidents” at healthcare.gov as of Dec. 11, U.S. Representative Henry Waxman, a California Democrat, said in a memo today following a briefing with security officials from the U.S. Department of Health and Human Services. None of those incidents, which were serious enough to merit investigation, resulted in a breach, he said.

Republicans have raised concern that the federal health exchange serving 36 states is vulnerable, citing Obama administration e-mails that showed a full round of security tests weren’t completed prior to the website’s Oct. 1 debut. Republicans on the House Science, Space and Technology Committee held a Nov. 19 hearing, where a “white-hat hacker” demonstrated how the site might hypothetically be breached.

“No person or group has hacked into healthcare.gov, and no person or group has maliciously accessed any personally identifiable information from users,” Waxman said in his memo, which was sent to his colleagues on the House Energy and Commerce Committee.

A spokeswoman for the Republican who leads that committee, Representative Fred Upton of Michigan, didn’t immediately respond to a request for comment. A spokesman for the agency overseeing healthcare.gov also wasn’t immediately available.

Data Collection

The federal website covers 36 states while 14 states have created their own marketplaces for people to shop for insurance with the help of government subsidies as part of the Patient Protection and Affordable Care Act of 2010.

The government’s computers collect personal information such as family size and Social Security numbers, as well as financial records and other data from seven federal agencies to determine what health plans people can buy and whether they’ll receive tax credits. Kathleen Sebelius, the U.S. Health and Human Services secretary, told senators at a hearing last month that little of the information is stored by the government.

Of the 32 security incidents, Waxman said one was “an attempted probe or scan” of the system that wasn’t successful, and another was a “denial of service” attack aimed at crashing the site that used malware named “Destroy Obamacare.” That attack also failed.

Fifteen events, classified as “unauthorized access,” involved people accidentally receiving information they shouldn’t have gotten, including an incident in which a South Carolina man’s personal information was sent to a person in North Carolina.

“All the known glitches that caused these incidents have been fixed,” Waxman wrote.

Eleven of the incidents remain under investigation, he said.

To contact the reporter on this story: Alex Wayne in Washington at awayne3@bloomberg.net

To contact the editor responsible for this story: Reg Gale at rgale5@bloomberg.net

Bloomberg reserves the right to edit or remove comments but is under no obligation to do so, or to explain individual moderation decisions.

Please enable JavaScript to view the comments powered by Disqus.