Healthcare.gov Security Flaws Could Make Social Security Numbers Publicly Available

Even if it were functioning properly the Federal Health Care Exchange website would still have problems.

Healthcaredotgov Screenshot

In addition to just plain not working for many people, it’s becoming apparent that the structure of the Federal Health Care Marketplace website is also suffering from some serious security vulnerabilities. For example, web security experts are saying the site is vulnerable to a cyber attack that could leave the personal information of everyone who has applied on the site open to the public:

With Healthcare.gov plagued by technical difficulties, the Obama administration is bringing in heavyweight coders and private companies like Verizon to fix the federal health exchange, pronto. But web security experts say the Obamacare tech team should add another pressing cyber issue to its to-do list: eliminating a security flaw that could make sensitive user information, including Social Security numbers, vulnerable to hackers.

According to several online security experts, Healthcare.gov, the portal where consumers in 35 states are being directed to obtain affordable health coverage, has a coding problem that could allow hackers to deploy a technique called ”clickjacking,” where invisible links are planted on a legitimate web page. Using this scheme, hackers could trick users into giving up personal data as they enter it into the web site, potentially placing Americans at risk of identity theft or allowing fraudsters to file bogus health care claims.

(…)

Kyle Wilhoit, a threat researcher at Trend Micro, a Japanese security software company, studied the Healthcare.gov portal with his security team and found a “moderate risk” for hacking due to an easy-to-fix coding problem that leaves the site vulnerable to clickjacking. Nidhi Shah, who works on research and development for Hewlett-Packard’s Web Security Research Group, found the same problem. This wouldn’t be the first time a federal site experienced coding problems: Earlier this year, SAM.gov, a government contracting award management site, automatically revealed companies’ private data, without a hacker lifting a finger, because of bad coding.

“Common clickjacking would be a popular method to attempt to exploit [the site]” says Wilhoit. “Hackers could use this information in the creation of fake identities, fake credit cards, and fake accounts very easily.” He adds that it’s relatively easy to fix, although the fixed code would need to rolled out on multiple Healthcare.gov pages and potentially state websites as well.

Asked about clickjacking concerns, the Department of Health and Human Services (HHS) referred Mother Jones to this security statement, which says that Americans don’t need to worry: ”If a security incident occurs, an Incident Response capability would be activated, which allows for the tracking, investigation, and reporting of incidents.”

And it turns out that this security flaw isn’t just limited to the Federal website:

Some state Obamacare sites could be significantly more vulnerable than the federal portal. Healthcare.gov site uses a common form of encryption called Secure Sockets Layer (SSL), which prevents information from being intercepted by a hacker after you click “send” (SSL doesn’t defend against most clickjacking). But the 15 states currently running their own independent Obamacare websites do not have explicit instructions from the HHS to use SSL. According to HHS, these states and the District of Columbia, which also has its own Obamacare site, are independently responsible for ensuring that they “develop standards to protect the privacy and security of consumers’ personal information.”

“These state sites…represent more viable targets for direct attack” than the federal data hub, Budd argues. And hackers have been known to target state healthcare programs—last year, over 280,000 Social Security numbers were stolen from Utah’s Medicaid server.

Hawaii, for example, does not automatically use SSL across its entire website, potentially leaving user information vulnerable to hackers—particularly if a visitor to the site is using an open wireless network, such as one at a coffee shop. The same is true with the online health exchanges created by Minnesota and Colorado. Budd notes that attacking state sites “rather than the more fortress-like data warehouse [like the data hub] can be easier to pull off with a greater chance of success.”

This news comes on the same day that Congress held its first hearings regarding the problems with the Federal website, taking testimony from representatives of the main contractors who helped build the site:

WASHINGTON — Federal officials did not fully test the online health insurance marketplace until two weeks before it opened to the public on Oct. 1, contractors told Congress on Thursday.

While individual components of the system were tested earlier, they said, the government did not conduct “end-to-end testing” of the whole system from start to finish until late September.

The disclosure came at a hearing of the House Energy and Commerce Committee, which is investigating problems plaguing the federal marketplace, or exchange, a central pillar of Mr. Obama’s health care overhaul.

Cheryl R. Campbell, a senior vice president of CGI Federal, a unit of the CGI Group, the main contractor on the federal exchange, said that end-to-end testing of the full integrated system first occurred “in the last two weeks of September.”

Another witness, Andrew M. Slavitt of UnitedHealth Group, said, “We didn’t see end-to-end testing until a couple days leading up to the launch” of the federal marketplace on Oct. 1.

UnitedHealth, one of the nation’s largest insurers, owns Quality Software Services, which was in charge of “identity management,” including the use of password-protected accounts, in the federal marketplace.

Ms. Campbell and Mr. Slavitt said they would have preferred to have months of testing, as required by industry standards for a project of such immense complexity. The federal exchange must communicate with other contractors and with databases of numerous federal agencies and more than 170 insurance carriers.

The rollout of the Affordable Care Act has been tarnished by technical problems that have made it difficult for consumers to shop in the federal marketplace serving 36 states.

Ms. Campbell said that CGI continually reported to top officials at the federal Centers for Medicare and Medicaid Services, including Michelle Snyder, the chief operating officer of the agency, and Henry Chao, the deputy chief information officer. Those officials made critical decisions about the federal exchange, Ms. Campbell said.

In response to questions, Ms. Campbell said, “We were not responsible for end-to-end testing” of the whole system. The Medicare agency, known as C.M.S., was responsible, she said.

Mr. Slavitt said that his company had tested computer code for the federal marketplace and had found problems. “We informed C.M.S. that more testing was necessary,” he testified.

Lawmakers from both parties expressed anger during the hearing at the performance of contractors hired to build the online health insurance marketplace, which is still limping along after three weeks.

Lawmakers said they were dismayed because the contractors assured the committee on Sept. 10 that they, their computer systems and the online federal marketplace were ready to enroll millions of Americans eager to buy insurance, subsidized by the government.

“Why did they assure us that the Web site would work?” asked Representative Fred Upton, Republican of Michigan and chairman of the committee. “Did they not know? Or did they not disclose?”

“This is more than a Web site problem,” Mr. Upton said. “The Web site should have been the easy part. I’m also concerned about what happens next. Will enrollment glitches become provider payment glitches? Will patients show up at their doctor’s office or hospital only to be told that they aren’t covered, or even in the system?”

The hearing room was packed with spectators eager to witness the confrontation between lawmakers and business executives whose companies have received tens of millions of dollars to build the federal marketplace, or exchange.

Politics pervaded the session. Republicans said that technical problems crippling the federal Web site epitomized fundamental flaws in the 2010 health care law, Mr. Obama’s most significant legislative achievement.

Democrats said that the law was fundamentally sound, but that the Web site needed to be fixed immediately so people could get the insurance promised to them.

Representative Diana DeGette, Democrat of Colorado, said: “Three weeks after the Web site went live, we are still hearing reports of significant problems. These problems need to be fixed, and they need to be fixed fast.”

Representative John D. Dingell, Democrat of Michigan, lamented the sorry state of the Web site and said: “This is unacceptable. It needs to be fixed.”

But Representative Frank Pallone Jr., Democrat of New Jersey, said the hearing was part of “a cynical Republican effort to delay, defund or repeal the Affordable Care Act.”

Representative Tim Murphy, Republican of Pennsylvania, said the contractors “were shockingly unaware of what was happening or deliberately misleading our committee and the public” when they testified last month that their components of the exchange would be ready on time.

Ms. Campbell said all of CGI’s work had been done “under the direction and supervision” of C.M.S.

“We acknowledge that issues arising in the federal exchange have made the process for selecting and enrolling in qualified insurance plans difficult to navigate for too many individuals,” Ms. Campbell said. “Unfortunately, in systems this complex with so many concurrent users, it is not unusual to discover problems that need to be addressed once the software goes into a live production environment.”

She blamed Quality Software Services for problems that consumers have had creating password-protected accounts. These problems “created a bottleneck that prevented the vast majority of users” from gaining access to the federal exchange, Ms. Campbell said.

The exchange, she said, is “not a standard consumer Web site,” but “a complex transaction processor” that must simultaneously help millions of Americans shop for insurance and enroll in health plans. It must communicate instantaneously with computer systems developed by other contractors and with databases of numerous federal agencies and more than 170 insurance carriers qualified to do business in the 36 states where the federal marketplace operates, she said.

Mr. Slavitt said its identity verification tool was just one part of “the federal marketplace’s registration and access management system, which involves multiple vendors and pieces of technology.”

These were overwhelmed by people trying to use the site, Mr. Slavitt said. One reason for the logjam, he suggested, is that the administration made “a late decision requiring consumers to register for an account before they could browse for insurance products.”

John Lau, a program director for Serco, another contractor, said his company was seeing an increase in paper applications. Serco is supposed to enter data from those applications in the government’s computerized eligibility system, but problems in that system have created challenges for Serco, as they have for consumers, Mr. Lau said.

The same contractors, testifying before the same committee on Sept. 10, assured lawmakers that they were ready to handle a surge of users when the federal exchange opened on Oct. 1.

So, basically what happened is that none of the contracts were willing to take responsibility for what’s gone wrong with the site, or any of the problems with the site. Indeed, for the most part they seemed to push much of the responsibility for what has been happening off onto the Centers For Medicare and Medcaid Services (CMS), the Federal Agency inside the Department of Health And Human Services primarily responsible for the Federal Government’s end of the operation. They blame CMS, for example, for the fact that the architecture of the site needed to be changed less than a month before the site went live so that users would be required to set up accounts, including providing a vast amount of private information right down to Social Security Numbers, before being able to price shop for insurance in their states. It also appears that CMS was largely responsible for the fact that the final system was unable to be tested until some time in mid-September, which seems to be cutting it pretty short for a website that was supposed to debut on October 1st. As I said yesterday, given that this is a system that everyone knew was going to come into existence more than three years ago, the fact that it took so long for the project to get up and running to the point where actual testing was possible seems like a clear failure of project management, both by the government contractors themselves and by the Federal Agency responsible for overseeing the project.

It’s worth noting, of course, that its in the interests of the contractors to point fingers elsewhere. In all likelihood, the work that will need to be done to fix what has gone wrong with the Federal website is going to lead to claims of backcharges against their contracts and, potentially, lawsuits over who was ultimately responsible for what went wrong. There will likely be tens of millions of dollars at stake at the very least, not to mention potential damage to their future ability to secure federal contracts. Nonetheless, as noted above, there were several aspects of today’s testimony that are noteworthy, most especially what seems to be incredibly lax project management by the relevant Federal Agency. This should make next week’s testimony by HHS Secretary Sibelius and other HHS official quite interesting indeed.

FILED UNDER: Bureaucracy, Congress, Environment, Healthcare Policy, Science & Technology, US Politics, , , , , , , , , , , , , , , ,
Doug Mataconis
About Doug Mataconis
Doug Mataconis held a B.A. in Political Science from Rutgers University and J.D. from George Mason University School of Law. He joined the staff of OTB in May 2010 and contributed a staggering 16,483 posts before his retirement in January 2020. He passed far too young in July 2021.

Comments

  1. john personna says:

    According to several online security experts, Healthcare.gov, the portal where consumers in 35 states are being directed to obtain affordable health coverage, has a coding problem that could allow hackers to deploy a technique called ”clickjacking,” where invisible links are planted on a legitimate web page.

    If I understand this correctly, they are saying hackers need write privileges for these legitimate pages, in order to place their fake links.

    That’s like saying a hacker could get admin privileges on OTB, and then do bad things.

    Presumably a big part of OTB (or Obamacare) security is not to hand out admin privileges.

    [IOW, if I understand correctly, a very theoretical risk.]

  2. Rick DeMent says:

    So computers are vulnerable to hackers. Tell me something we don’t already know. And how this is different from any other private company database or computer one the planet I just can’t say.

    God the a listing of all the consumer information out there that has been breached would fill volumes.

  3. Gustopher says:

    @john personna: Actually, there are a lot of ways to get new code onto the web page — any of a number of man-in-the-middle attacks would do it.

    This is pretty amateurish, and disgraceful. Our government should be competent, and this is quite clearly not. I wish we could get an actual investigation of what went wrong, and what lessons to apply to future government work, but I suspect that the Republicans will be too busy trying to score points to seek this out, and the Democrats will circle their wagons under the idiotic, irrelevant attacks and no one will look for the real problems.

    Benghazi, all over again.

  4. john personna says:

    @Gustopher:

    You can’t just say “man in the middle” and then leave it at that. I mean, did you just say that any website that knows your SSN is equally vulnerable?

    And wouldn’t secure ownership of the page, plus SSH connection, prevent insertion of page content?

  5. C. Clavin says:

    If true…then it’s definitely a bug that needs to be fixed. No question. Get someone on it.
    What else you got?

  6. john personna says:

    Healthcare.gov site uses a common form of encryption called Secure Sockets Layer (SSL), which prevents information from being intercepted by a hacker after you click “send” (SSL doesn’t defend against most clickjacking). But the 15 states currently running their own independent Obamacare websites do not have explicit instructions from the HHS to use SSL.

    What a wimpy claim that was! Healthcare.gov uses SSL, and the others if they have any brains surely do, but since they had no “explicit instructions” assume they are idiots?

  7. C. Clavin says:

    So a little off topic…but it turns out that Cruz has a $20,000 health insurance policy.
    A couple of economists are now saying that amounts to an $8000 or so subsidy from the Government.
    Seriously….the guy most responsible for shutting down the Government over Obamacare is getting $8K in Government Health Care Subsidies.
    F’ing socialist.

  8. john personna says:

    @Gustopher:

    This is pretty amateurish, and disgraceful. Our government should be competent, and this is quite clearly not.

    I don’t know why this is getting up-votes, because I’m not seeing it.

    I’ll admit to being only half-way good at security, with a web site developer’s knowledge, and not a security consultant’s or sys admin’s … but I’m not seeing it.

    You can’t just throw around words and say that a site is vulnerable. Of if you do, you’ve only made a general claim that any site is vulnerable.

    If I’m wrong, educate me with some tech detail here.

  9. anjin-san says:

    I just got a letter from one of America’s leading companies telling me that they had been hacked, and some of my data had probably been compromised. They are paying for me to have credit/identity monitoring for the next three years. Must be serious.

    How come the tea party is not coming to rescue me from this danger?

  10. rudderpedals says:

    while (website != PPACA) printf("You're still doing it wrongn");

  11. C. Clavin says:

    @ ANJIN-SAN….
    because the invisible hand can do no wrong…big scary gubmint…not so much

  12. john personna says:

    Not sure if this is parody:

    Computer genius John McAfee has dropped a bombshell on Obamacare enrollees warning Fox News in the video below that Obamacare websites have no way at all to protect those who enroll from hackers robbing their bank accounts blind.

  13. beth says:

    Today I just renewed my identity protection service for another year – paid for by the state of South Carolina since all their tax returns were hacked two years ago. The state has had to pay 8 million dollars a year for this yet you don’t hear any Republicans here calling for investigations. I guess it’s okay when it happens under a Republican administration.

  14. anjin-san says:

    pssssst …. Beth….

    Don’t know if you have heard, but Obama is….. black.

  15. beth says:

    This is more than a Web site problem,” Mr. Upton said. “The Web site should have been the easy part. I’m also concerned about what happens next. Will enrollment glitches become provider payment glitches? Will patients show up at their doctor’s office or hospital only to be told that they aren’t covered, or even in the system?”

    How the heck could anything like this even happen? Aren’t people covered under “Obamacare” just covered by insurance companies or Medicaid – like millions of people already? I’m assuming when your policy is issued you’ll get an ID card showing your policy and number and either the insurance company or the government (in the case of Medicaid patients) will issue payments to providers like they already do millions of times per year. These guys are going to have to come up with better scare tactics. Do they think people don’t know how insurance works?

  16. JKB says:

    @beth:

    Well that depends, was the SC website designed to be open to violations of privacy in violation of the law or was a new vulnerability exploited?

    As the link above highlights from the Time article the Obamacare website transmit personal information in the clear.

    This next item is simply unforgivable – personal identifiable information being transmitted in the clear:

    Even more alarming were the security flaws. An error message from the site relayed personal information over the internet without encryption, while the email verification system could be bypassed without access to the email account. Both security vulnerabilities could be exploited to hijack an account. “Because this is a huge system that people are mandated by law to use, the standard should be higher,” says Simo. “People are going to see it as a high value target.”

    That is against the law and a firing offense. This leaves applicants open to identity theft.

  17. anjin-san says:

    These guys are going to have to come up with better scare tactics.

    Not for Jenos and JKB. Think “frightened little rabbit”…

  18. C. Clavin says:

    The website does seem to be a problem that needs fixing, pronto.
    And I’m sure it will be. Remember…it’s a Republican program. We had to fix Iraq too.
    But the FTC says 9M identities are stolen every year.
    I doubt JKB has ever shown tremendous concern over this.
    What a maroon.

  19. JKB says:

    Sorry, not frightened. Just amused. The task was a bridge to far for the non-DoD side of government and doubly so when theoretically overseen by Progressives. Thankfully, we’ve learned that yet again, Obama was not involved in any aspect of this enterprise other than as figurehead and spokesbot. He’s certainly no George Bush, that guy is responsible for everything. That’s what happens when your the Decider, instead of the Sergeant Schultz of American presidents.

  20. bill says:

    this is nothing compared to the grand scheme of ineptness. any site can get hacked, and this half baked piece of junk is no exception.

  21. Gustopher says:

    @john personna: not sure of the exact vulnerabilities healthcare.gov has, but generally clickjacking will rely upon someone creating a frame around the site, or even proxying the entire site, and then tricking people to go to the URL for the frame or proxy — which then communicates with the original site via https, modifies what it needs either before passing it down or via manipulating the dom on the client side via JavaScript.

    There are fairly well established techniques to make this harder, and a high-value site (banks, healthcare.gov, etc) needs to actually jump through those hoops. The article strongly suggests that the contractors that we hired have not done so. If true, this is a problem, and it suggests that there are likely other problems (if they cannot get the easy stuff right…)

    This is why you get lots of spam telling you to log into paypal, or some bank, etc and you hopefully discover that accounts.evillbank.com has an extra l or something. Healthcare.gov is just as high-value a target, and will face similar threats.

    But, I’ll add the caveat that my own knowledge of web security is a bit lacking — I’m not a security engineer, I just know enough to hunt down the security engineers at work, learn the currently recommended best practices, and use them trusting the security engineers to get the details right.

  22. john personna says:

    @Gustopher:

    not sure of the exact vulnerabilities healthcare.gov has, but generally clickjacking will rely upon someone creating a frame around the site, or even proxying the entire site, and then tricking people to go to the URL for the frame or proxy

    OK fine, but I think that might be more hacking the users than hacking the site. (We should all understand how our browsers or local security software give a green light that we have a secure link to the real site.)

    I did read the informationweek article above, and it does have some hints but is still kind of could/might.

    For instance:

    “We could not access [the] authenticated area of healthcare.gov — the site was overloaded — but if this is the policy applied to any authenticated page of the site, it could expose the site to serious threats like cross-site request forgery (CSRF),”

    So, they didn’t actually find a flaw in the authenticated site.

    And here:

    Shah said. In the past, many websites have used JavaScript “framekillers” to mitigate this type of vulnerability. “However, the introduction of the iFrame Sandbox attribute in the HTML5 specification has rendered that approach useless,” she said.

    Basically an indictment of every HTML5 site.

    It cold be that there are some tweaks to be made, but I’m not really seeing anything found actually _in_ the obamacare secure web pages.

  23. michael reynolds says:

    I think we can all agree it’s a really, really bad website. It’s a huge cock-up.

    Which has nothing to do with the value of the underlying law. Not a thing. It’s like saying the VA does a terrible job of processing vets, so screw vets. The website serves the law, the website is not the law. A bunch of folks in India are waiting to man call centers. They can follow a script, they can enter data, we can, in short, use technology that isn’t the very latest thing. Telephones did not disappear.

    Terrible, terrible website. Irrelevant to underlying value of the law.

    Next point. The inevitable “Gubmint cain’t do nothin’ right.” To which I would say that government did a pretty good job knocking off Iranian centrifuges using advanced programming methods. And the government does apparently a hell of a job at busting into emails and listening to German phone calls. Also: the greatest military on earth. Also: the world’s reserve currency. Also: the dominant diplomatic power on earth.

    In fact, the government is so good at their job they just informed me that I underclaimed income in 2011 (an honest oversight) and strongly suggested I give them a bunch of money. So, they seemed pretty damned competent at that.

    This obvious fiasco of a website does not prove Obamacare is a bad idea, or that the government is doomed to fail.

  24. john personna says:

    @michael reynolds:

    I agree that it’s a bad website (glass below half full), but how bad will be determined over say the next two months (one down, two to go).

    It’s possible, just possible, that a few core errors produce dramatically bad results. They should be found and fixed within a month. If it’s medium bad, two months. If it can’t be fixed in three, then it is as bad as you say.

    But we gotta give the guys some time to work.

  25. C. Clavin says:

    In fact, the government is so good at their job they just informed me that I underclaimed income in 2011 (an honest oversight) and strongly suggested I give them a bunch of money. So, they seemed pretty damned competent at that.

    Bummer.

  26. Gustopher says:

    @michael reynolds:

    I think we can all agree it’s a really, really bad website. It’s a huge cock-up.

    I think we can also agree that if our government functioned properly, there would be investigations as to why this was such a huge cock-up. Both internal investigations in the administration, and likely external investigations through congress. And maybe, just maybe, some recommendations to be followed to prevent future cock-ups.

    Alas, this will be Benghazi all over again, where any actual systemic problems will be lost in the wailing of Republican congress-critters who have no interest in the actual problems, they just want to hang an albatross around Obama’s neck.

  27. john personna says:

    @Gustopher:

    I asked in one of the first [Obamafail] threads when government (Congress) would be smart enough to design in a beta period and measured rollout.

    Possibly this is worse than the the “typical” big-bang launch with millions of day-one users … but I can’t think of any others this big.

    One cite was that Obanacare had more users in the first 24 hours than Twitter in the first 24 months (or similar).

    What this desperately needed was invitational users in a beta program. Blame for not having that spreads very wide.

  28. Matt says:

    @Gustopher: You’re actually doing quite well.

    They seem to be upset that this site has vulnerabilities that even your bank’s site has. Mostly the vulnerabilities are user errors.

  29. anjin-san says:

    @ JKB

    The task was a bridge to far for the non-DoD side of government

    Ah, so the part of the government that YOU like is competent. Hack-proof even. I see.

    Pentagon: Yep, We Got Hacked
    By John P. Mello Jr.
    TechNewsWorld
    08/26/10 9:09 AM PT

    U.S. Deputy Secretary of Defense William S. Lynn III has admitted that the Pentagon suffered a serious security breach in 2008, an incident he categorized as “the most significant breach of U.S. military computers ever.” Though the breach was reported in the press at the time, the DoD has only now publicly acknowledged that it occurred — and that it took 14 months to clean up the mess left behind.

    http://www.technewsworld.com/story/70699.html

    Pentagon Admits 24,000 Files Were Hacked,
    GRACE WYLER JUL. 14, 2011, 4:35 PM 5,815 8

    Unveiling the military’s first-ever cybersecurity strategy, Deputy Secretary of Defense William Lynn admitted today that a “foreign intelligence service” stole 24,000 Defense Department files from Pentagon computer systems this March.

    http://www.businessinsider.com/pentagon-admits-24000-files-were-hacked-declares-cyberspace-a-theater-of-war-2011-7

    Seriously dude, you may be the most clueless mofo on the planet.

  30. anjin-san says:

    And of course, corporate America is uber-competent.

    Major Corporations Attacked in Historic Hacking Case
    By Jennifer BootonPublished July 25, 2013
    FOXBusiness

    A federal indictment unsealed on Thursday alleges that five Russian and Ukraine nationals conspired in a worldwide hacking and data breach dating back to 2007 that targeted major corporate networks, including U.S. banks and retailers, and led to the capture of more than 160 million credit card numbers.

    The U.S. Department of Justice said the theft caused “hundreds of millions of dollars” in losses, making it the largest such scheme ever prosecuted in the U.S. The defendants stole user names and passwords, means of identification, credit and debit card numbers and other personal information.

    http://www.foxbusiness.com/technology/2013/07/25/major-companies-victims-in-biggest-hacking-case/

    When is Issa going to investigate?

  31. Matt says:

    OH tens of millions of CC info are stolen yearly..

  32. Jack says:

    This is not a bug, it’s a feature.

  33. Tyrell says:

    Maybe the problem all along has been that the system is corrupted with spyware. Just install a good spyware program and its fixed.

  34. rodney dill says:

    @Jack: i.e. a Secondary Software Characteristic.

  35. Mikey says:

    This rollout was an unmitigated disaster in IT terms. There’s no other honest way to look at it. Whether or not some corporations also have flaws in their sites is entirely irrelevant.

    Nobody knows how long it will take to fix. Not even the people working to fix it know. It’ll probably take a couple weeks just to figure out exactly what parts are broken, and who knows how long to fix it all. This is more than just some client-side tweaking–there are problems on the back end that are far tougher onions to peel. And those have to get fixed first–you can’t have a nice, pretty customer portal that LOOKS like it’s working well and a back end that’s still a spaghetti mess.

    I don’t say any of this as an opponent of the PPACA. I think it’s flawed, but it’s also very important, and I want to see it work well. Healthcare.gov isn’t the whole PPACA, but it’s the most important customer-facing piece.

  36. rodney dill says:

    The apologists are turning the volume all the way to eleven.

  37. Tony W says:

    Somewhat off topic – as all PII must be protected on a site such as this – but why the heck are SSNs still a ‘secret’? I would love for the Social Security Administration to announce everyone’s SSN will be published on their website Jan 1st 2016. Too long banks and others have misused them as identifiers and treated them like computer passwords.

  38. C. Clavin says:

    “…The apologists are turning the volume all the way to eleven…”

    Um…I don’t see that many apologists. Everyone recognizes and acknowledges the problem.
    As per usual it appears…if you can actually read….that the Benghazi, Parkghazi, APghazi, IRSghazi, Webghazi bunch is again making a molehill into Mt. Everest.
    But you are entitled to your partisan delusions.

  39. Tyrell says:

    @Mikey: It was reported this morning that several people who did manage to get enrolled have discovered that their applications and information were somehow lost or deleted. So now they have the choice of going through the process again, or just forget the whole thing.

  40. C. Clavin says:

    @ Tyrell….
    “…several people…”
    You don’t say. Several whole people? Oh my.
    Clearly the apocalypse is upon us. Republican predictions have come true. Obamacare is truly the end of civilization.

  41. john personna says:

    @Tony W:

    why the heck are SSNs still a ‘secret’?

    No one really has a secure on-line ID. And so banks and other serious sites rely on knowing a number of semi-secure things like SSN, phone number, mother’s maiden name, to “safely” identify us. And so an identify thief tries to gather enough of those things to be convincing.

    In the current system, SSN is a big one.

  42. James Pearce says:

    @Tyrell:

    So now they have the choice of going through the process again, or just forget the whole thing.

    Or they can get their insurance on the open market, which…no hassle there.

    It’s kind of funny. We were warned that old people would die. That young people would game the system. That employers would cut jobs. That government debt would destroy the economy.

    But no one warned us about this website thing. The Cassandra of Greek myth had a better predictive record, and she was more believable.

  43. Tyrell says:

    @john personna: SSN: think about this. Years ago many of the public school systems used student SSN on everything from test score sheets to school id’s. A lot of that stuff wound up in dumpsters, no shredders back then.

  44. Tony W says:

    @john personna: Ya, I get how it works, just lamenting that we have allowed a crappy system of non-secrets to be sufficient to steal identity, because “business!”.

    Technology exists that could do much better, but some actuary somewhere has determined that the loss from fraud is lower than the gain from ease-of-business. Chip & pin is pretty good for example, and is used widely by the credit card industry, except in the exceptional USA.

    Sorry to highjack the thread with this, but it is potentially relevant to the problem at hand. If we had such an identity system available, it would be much harder for tea-drinking sympathizers to sabotage the system – either from the outside, or perhaps from the inside as well.

  45. john personna says:

    Arnold Kling echoes something I wrote at OTB earlier:

    Somebody who had experience with creating a health insurance brokerage business would know that the systems problems are more complicated than just putting up a web site. In the background, the system needs to communicate with the systems at several government agencies and at the insurance companies. That changes it from a simple technical project to a complex, time-consuming, project involving business and technical staff.

    I framed that as a reminder that the project was a public-private partnership, and that the “exchange” depends on real-time response and bids from insurance providers..

    In retrospect we can say that less ambitious goals would have made the top-level exchange sites more robust … basically enter your information, and then expect email offers from area providers.

  46. john personna says:

    @Tyrell, @Tony W:

    We could use retinal scanners … but then they just tear out your eye!

    (Biometrics help, but like bank card/pins they can be intercepted by hackers and re-used.)

  47. john personna says:

    @this:

    Another way to make the system more robust would have been to require any participating insurance company to turn over a rate table. Then the comparison shopping could be done with simple database look-ups. (You could let each provider send updated tables every night, or whatever.)

    I imagine though that the providers demanded interactive control of the offers they were sending back, in response to each customer query.

  48. al-Ameda says:

    @michael reynolds:

    I think we can all agree it’s a really, really bad website. It’s a huge cock-up.

    In California people just go to the State Exchange site. I’m still not sure why anyone goes to the Federal site, it does not seem necessary.

  49. Mikey says:

    @al-Ameda:

    In California people just go to the State Exchange site. I’m still not sure why anyone goes to the Federal site, it does not seem necessary.

    Not every state has an exchange, quite a few are only in the federal system.

  50. steve s says:

    I’m still not sure why anyone goes to the Federal site, it does not seem necessary.

    Some very dim people elected republicans to run their states. Those republicans then refused to set up state exchanges.

  51. rudderpedals says:

    Florida’s one of 30 states that only have the fed exchange. My state is so petty as to have banned its already hobbled state insurance regulators from enforcing all health insurance laws on the books (as explicit retribution for PPACA)

    Wifey nevertheless managed to sign on to the fed system. Suck it, gov.

  52. anjin-san says:

    Flashback: GOP Wanted To ‘Fix’ Medicare Part D After ‘Horrendous’ Rollout

    A few weeks into the launch of the most sweeping health care reform law in a generation, John Boehner declared that the implementation was a disaster.

    “The implementation,” the Republican leader said, “has been horrendous. We’ve made it far more complicated than it should be.”

    Boehner, of course, was talking about the rollout of the new Medicare prescription drug benefit — known as Part D — enacted in 2003 by President George W. Bush. He discussed the implementation woes during a Feb. 6, 2006 appearance on “Fox News Sunday,” on his fifth day as House majority leader.

    But did he want to repeal the benefit? No. The future Speaker soberly acknowledged the problems but saw potential in the law and called for improving it. “The good news is that the competition that’s being created has lowered premiums significantly below where Congress thought they’d be when we put the bill together, so the competition side is good,” he said. “I think the implementation side continues to need to be improved.”

    http://talkingpointsmemo.com/dc/gop-medicare-part-d-obamacare

  53. al-Ameda says:

    @anjin-san:

    “The implementation,” the Republican leader said, “has been horrendous. We’ve made it far more complicated than it should be.”
    Boehner, of course, was talking about the rollout of the new Medicare prescription drug benefit — known as Part D — enacted in 2003 by President George W. Bush

    Lest anyone forget, that Bill was passed by way of Hastert holding the door open until they got the vote count (no Democratic votes needed) necessary to pass it.

    I do not recall that when Democrats took over the House that they (Speaker Pelosi) demanded that Part D be defunded or repealed, do you?

  54. Pinky says:

    @rodney dill:

    The apologists are turning the volume all the way to eleven.

    And the other side’s apologists are deflecting and counter-attacking at eleven. Wouldn’t it be nice to have a discussion at, say, 6?

  55. C. Clavin says:

    Yeah, lets have a conversation at 6…
    Of course that would require some honesty…
    http://www.youtube.com/watch?v=hJxjFicAG90#t=44

  56. john personna says:

    @Pinky:

    Am I not hitting the middle note?

    I acknowledge problems, understand general web technology, but I wouldn’t presume to know what’s going on inside someone else’s app. We’ve seen neither the code nor the error logs.

    Possibly they bit off too much, but possibly they’ll get it all working.

    TBD.

  57. Pinky says:

    @john personna: I dunno. This thread was too hard to stomach.

  58. al-Ameda says:

    @Pinky:

    And the other side’s apologists are deflecting and counter-attacking at eleven. Wouldn’t it be nice to have a discussion at, say, 6?

    Wouldn’t it have been nice if states with Republican governors and legislatures had been implementing their Exchanges instead of delaying, obstructing and interfering with implementation of ACA?

    That would have been nice, and it would also be nice if the questioning of the current ACA website problems wasn’t being done by the same malevolent hypocrites who have done everything they can to oppose and obstruct ACA.

    That said, let’s be sure it is a civil discussion. By the way, with Republicans the discussion level is never going to be 6, it’s inevitably going to be 666.

  59. Moosebreath says:

    @al-Ameda:

    “That would have been nice, and it would also be nice if the questioning of the current ACA website problems wasn’t being done by the same malevolent hypocrites who have done everything they can to oppose and obstruct ACA.”

    And the ones who have again and again made oversized charges on Fast & Furious, Benghazi, IRS, etc., only to see when facts come out there was far far less than promised.

  60. anjin-san says:

    @ Pinky

    hard to stomach.

    Find Seth Rogan and smoke some dope with him. It can often settle the stomach.

  61. C. Clavin says:

    “…I dunno. This thread was too hard to stomach…”

    WTF….
    Reynolds, myself, john personna, anjin-san…all saying yeah, it’s messed up. It’s gotta be fixed.
    I guess it just turns Pinky’s stomach that we aren’t all going full WEBGHazziii!!!!
    Good luck with that.

  62. C. Clavin says:

    @ anjin-san…
    among other things…..

  63. Bob @ Youngstown says:

    I learned yesterday that CGI had “turned off the flag” to allow anonymous price shopping in the exchange…

    However, apparently it is now turned back on, so for those who are interested in doing some shopping:

    https://www.healthcare.gov/find-premi

    Very simple and fast, information is non-specific, you only need enter State, County, age ranges, family or individual coverage.

    In my county County there are 43 estimates available, ranging in price from 194 to 522 per month for individuals from 5 or 6 different insurers.

    IMPORTANT NOTE: The estimates shown on this tool don’t reflect the lower costs you may qualify for based on household size and income.

  64. Pinky says:

    @C. Clavin: Actually, it was your first comment that stood out. Your comment, to the effect that you’d just read an article that you didn’t care about and you just wanted to say that you didn’t care about it, struck me as grossly insincere. I mean, “what else you got?”? I could be wrong. Maybe you’re not defensively saying whatever you think would be best for your political side. But it comes off that way.

  65. Todd says:

    The irony is, if this was just a system to go onto a website and sign up for insurance from one provider … oh say the Federal Goverment medicare office … then building (expanding) that website/system probably would have been much more simple; relatively speaking … and probably much less expensive for all involved too.

    It’s the fact that this has to be a “market” that’s making it complicted.

    … and it is a VERY complicated undertaking. To be honest, I’m actually surprised that the system is functioning as (again relatively) well as it is.

  66. john personna says:

    @Pinky:

    The weird thing about it is, that while the website in general has problems, many liberals took the first assertion of these security problems as a real thing. “OK, you got us.”

    They might actually have been slower, on that particular aspect.

  67. john personna says:

    @Todd:

    Definitely. The requirement for real-time data sharing, because this is a big public-private partnership, makes it a bear.

  68. Todd says:

    Further thought …

    Has anybody asked why we even need heathcare.gov?

    .. or at least why we need it to have all this functionality? Why couldn’t it have just been a portal to the approved insurance providers; who would then be responsible for “selling” their plans, plus calculating and applying for the proper subsidies for customers who qualify?

  69. C. Clavin says:

    Pinky…
    We all agree it’s f’ed up.
    What’s to discuss?
    Some of the security discussions are interesting…but I know nothing about it…and those offering opinions aren’t involved so they are just informed opinions.
    Unless you want to blow it all out of proportion.
    And I think that’s BS.

  70. john personna says:

    @Todd:

    I think it is sadly, a conflicted idea. I think the ACA architects hoped that it would be an easy way for people to cut across all those individual insurance offers. The problem is that insurance companies want to keep fine grained control on the price they offer an individual applicant.

    So, how can you put up a “results” page in a second or two which has all the custom tailored offers from a number of vendors, each exercising dynamic pricing strategies on the applicant pool?

    Maybe you can’t.

    As I say, forcing insurance companies into published rate tables would make the site much easier, but then they’d lose an opportunity on the back-end … to say ask Google if you’ve searched “chest pains” lately, and adjust your rate as a consequence.

  71. David M says:

    @Todd:

    As a reminder, the federal exchange was not expected to cover 30+ states. It was the GOP that decided that they wanted the federal government to run the exchange because they didn’t think the federal government should take over health care. The (relative) success of the state-based exchanges shows that this attempt to sabotage the Obamacare implementation was moderately successful.

  72. Todd says:

    Paraphrasing (because I’m too lazy to go find the link) something I read on Wonkblog (or maybe TPM):

    When it comes to healthcare.gov, the people who want to talk about the problems (Republicans), have no interest in actually seeing them get fixed. On the other side, the people (Democrats) most interested in fixing the problems would prefer not to talk about them (at least until after they’re fixed).

    American politics at it’s finest.

  73. Pharoah Narim says:

    This is simple: Congress created a procurement system that contracts out the heavy lifting and leaves the goverment to be middle management. IT security engineering and integtation/interoperatbility testing are not middle managment functions. Those functions are quality controlled in house by the contractor. So unless one is lucky enough to have a contractor win a contract AND have 1st rate production processes in place—there is not much than can be done other than roll something out and patch it up after the fact.The government doesn’t sit at the contractor facility and look over people’s shoulders. There is a contract deliverable that is presented to the government after the contract ends. There are few options for multi-system/multi agency contract models that allow for centralized quality control and collaboration at the worker bee level. If two contractors are competetors but working on seperate pieces of a tasks…they aren’t going to collaborate directly…they will cooperate with each other through the middle manager (a level too high to solve problems before they snowball.) The only error I see that could have minimized the damage is if they hired an Integrator and have all the other companies as sub-contractors to the prime integrator. You limit your options when you do that though because companies that have good talent…don’t want to be subs to their competetor….unless there is a stupid amount of money on the table. My guess is they wanted the best programmers so went without an integrator/sub model.

    The procurement process is the problem…it makes it virtually impossible to efficiently do large scale projects. Alot of private companies get paid a lot of money though so that’s a win in Congresses eyes.

    As for the security vulnerabilities, Im not seeing it. Any site can be spoofed and trick users into entering personal data. Thats a user education issue.–what’s most important is the back-end-server security and the transmission of the bits after the user submits the form. Healthcare.gov does encrypted transmission so they are good there. There is no such thing as 100% security for anything on the web. The goal is to deny an attack surface to small-timers using the MOST likely attacks known. There is a small elite portion of attackers, mostly employed by governments and organized crime that actually create specialized attacks custom for a target. They are a threat but frankly, they tend to go after bigger fish. Individual SSNs are high value targets. For these guys/gals the only real security is in consistently reconfiguring your security approach to either ruin the attack they’re crafting to go against your system…or its keeps them from coming back in after they’ve gotten access previously. They then have to start the long process of figuring out how to get back in. Its a lot of work being a high-end hacker so it requires a big payoff.

  74. Todd says:

    @john personna:

    I think the ACA architects hoped that it would be an easy way for people to cut across all those individual insurance offers.

    This program was always just going to be a bridge to something like medicare for all (the only question is how long it takes us to get there). That said, once the public option was ruled out, I think the idea that these exchange websites would be anything more than just portals to the insurance companies was overly ambitious (and quite possibly totally unnecessary).

    But then I’m just a guy on the Internet with an opinion. I sure am glad it’s not my job to make actual decisions about this sort of thing.

    … the Monday morning quarterback never throws a bad pass 🙂

  75. Pinky says:

    @Pharoah Narim: I generally agree with your comment, but one thing that can be done is providing sufficient testing time to work out the bugs before a product goes online. You can’t test everything – site volume and the sheer ingenuity of human error can’t truly be simulated – but you can test a lot.

  76. michael reynolds says:

    Democrats frustrate Republicans because we refuse to do what they’d do under identical circumstances: ignore reality.

    We are not the party of epistemic closure. This was demonstrated after the first Obama-Romney debate when Democrats insisted that Obama got his ass kicked. Republicans assumes we’d descend into fantasy-land. When we didn’t, they were disgruntled.

    Same here. We admit this is a huge screw-up and Republicans get cranky because supposedly we won’t talk about it. Well, what is there to discuss after we agree that it is obviously a screw-up?

    See, my GOP friends, when you live in the real world you occasionally find yourself agreeing with the other side. Put down the rage-o-hol and try it some time.

  77. Bob @ Youngstown says:

    @Bob @ Youngstown:

    I learned yesterday that CGI had “turned off the flag” to allow anonymous price shopping in the exchange…

    However, apparently it is now turned back on, so for those who are interested in doing some shopping:

    https://www.healthcare.gov/find-premi…

    Very simple and fast, information is non-specific, you only need enter State, County, age ranges, family or individual coverage.

    In my county County there are 43 estimates available, ranging in price from 194 to 522 per month for individuals from 5 or 6 different insurers.

    IMPORTANT NOTE: The estimates shown on this tool don’t reflect the lower costs you may qualify for based on household size and income.

    Well of course the website folks have changed the page address in the last several hours.

    As of 7:30 pm eastern the new address is:

    https://www.healthcare.gov/find-premium-estimates/

    Happy shopping!

  78. bill says:

    @michael reynolds: it’s not just a river in egypt, even diehard liberoids are disgusted at this piece of junk web site, and they don’t even know what’s on the other side. good for you that your rate went down, but someone who makes less than you got a rate increase- at least have the dignity to thank them for voting the stupid line. and while you’re all in here sucking each others dicks, look outside the window- it’s bad!

  79. bill says:

    @Bob @ Youngstown: thx, 2x the rate i pay now- grand.

  80. anjin-san says:

    @ bill

    good for you that your rate went down, but someone who makes less than you got a rate increase

    Damn, he’s right. On the CA website, my rate went up $3.

  81. An Interested Party says:

    and while you’re all in here sucking each others dicks, look outside the window- it’s bad!

    Oh my, you sound quite frustrated…calm down, sweetie…perhaps you need some of the same activity that you describe above, and it ain’t looking out the window…

  82. bill says:

    @An Interested Party: it’s actually a quote from a zappa tune, this site doesn’t frustrate me at all, it’s my down time- as a working guy i can’t really hang out in here all day, someones gotta pay the bills/taxes for the rest of y’all! party on party girl!

  83. An Interested Party says:

    …this site doesn’t frustrate me at all, it’s my down time- as a working guy i can’t really hang out in here all day, someones gotta pay the bills/taxes for the rest of y’all! party on!

    Spare me, a$$hole…many people who whine about having to pay the bills and taxes of others are often feeding at the government trough themselves, in ways they don’t even recognize…

  84. ADT Calgary says:

    I really enjoyed this article, thanks. The comments are quite heated