Healthcare.gov, the Obamacare portal, asks for social security numbers, among other sensitive information.
Some security researchers found that the site can be hacked into.
Kyle Wilhoit, a threat researcher for Trend Micro, a Japanese security software company, told Mother Jones that his team studied the portal and found that it has a “moderate risk” for hacking.
“Common clickjacking would be a popular method to attempt to exploit [the site]” Wilhoit said. “Hackers could use this information in the creation of fake identities, fake credit cards, and fake accounts very easily.”
Sensitive information isn’t permanently stored on the federal level of the website, making the website, overall, fairly secure.
However, 15 states are currently running their own Obamacare websites, and they aren’t required to use a common form of encryption called Secure Sockets Layer.
“Hawaii, for example, does not automatically use SSL across its entire website, potentially leaving user information vulnerable to hackers—particularly if a visitor to the site is using an open wireless network, such as one at a coffee shop,” Mother Jones reports. “The same is true with the online health exchanges created by Minnesota and Colorado.”
Christopher Budd, threat communications manager for Trend Micro, said that attacking state sites, rather than the federal level, “can be easier to pull off with a greater chance of success.”
“These state sites…represent more viable targets for direct attack” than the federal portal, he added.
According to InformationWeek, because of the high-profile nature of healthcare.gov and the other Obamacare portals, identity thieves will likely begin trying to hack in.
“The site handles the sensitive information of millions of Americans: health history, identity, tax records and more,” said Nidhi Shah, who works on research and development for HP’s Web Security Research Group.
To protect yourself, Budd says in a blog post that people should not use a search engine to find health care information, because of the fake sites out there.
“Instead, you should start your search at a known, trusted source: the Federal Government’s or your state government’s sites,” he said. “Use these sites to identify the resources they’ve identified as trustworthy. With that information you can then get more information by going to the sites they recommend (by typing the URL in yourself), calling the numbers listed or even visiting in person. If you do choose to register online, web reputation services that can be found in products like our Titanium can provide an extra degree of protection from known scam sites.”
“You have to take time to be extra careful because this will be a great way for criminals to easily get critical personal information they can use maliciously,” he said.