An egregious security breach at healthcare.gov

And it probably won't be the last.

A North Carolina man got the shock of his life when he logged on to his newly created account on healthcare.gov and discovered two messages from HHS about his "marketplace eligibility."

The shock was that the letters were not addressed to him and contained personal information.

The Foundry:

Justin Hadley logged on to HealthCare.gov to evaluate his insurance options after his health plan was canceled. What he discovered was an apparent security flaw that disclosed eligibility letters addressed to individuals from another state.

"I was in complete shock," said Hadley, who contacted Heritage after becoming alarmed at the breach of privacy.

Hadley, a North Carolina father, buys his insurance on the individual market. His insurance company, Blue Cross Blue Shield of North Carolina, directed him to HealthCare.gov in a cancellation letter he received in September.

After multiple attempts to access the problem-plagued website, Hadley finally made it past the registration page Thursday. That's when he was greeted with downloadable letters about eligibility -- for two people in South Carolina.

The letters, dated October 8, acknowledge receipt of an application to the Health Insurance Marketplace and the eligibility of family members to purchase health coverage. One of the letters was addressed to Thomas Dougall, a lawyer from Elgin, SC.


Hadley wrote to Heritage on Thursday night and also contacted the U.S. Department of Health and Human Services, which administers HealthCare.gov, as well as elected officials in his state. He has yet to hear back from HHS, even though HealthCare.gov still displays the personal information of the South Carolina residents on his account.

Hadley reached out to Dougall on Friday to notify him of the breach. Dougall, who spoke to Heritage this evening, said he was evaluating health care options in early October. Dougall said he was able to register on HealthCare.gov, but decided not to sign up for insurance.

"The plans they offered were grossly expensive and didn't provide the level of care I have now," he said.

Dougall said he never saw the October 8 letter until Hadley sent it to him Friday.

After learning of the privacy breach, Dougall spent Friday evening trying to contact representatives from HealthCare.gov to no avail; he spent an hour waiting on the telephone and an online chat session was unhelpful. He also wrote to Senators Lindsey Graham (R-SC) and Tim Scott (R-SC), along with Representative Joe Wilson (R-SC).

"I want my personal information off of that website," Dougall said.

The government of the United States has knowingly opened and is encouraging the use of a website that they know is fatally flawed security-wise -- and just don't give a crap.

This isn't a breach of security. You can't breach something that doesn't exist. And don't buy the line that no personal information is stored on the site. It doesn't have to be. Hackers don't need a database to steal your information. They can spy on you in real time.

Heritage cyber-security expert Steven Bucci, director of the Douglas and Sarah Allison Center for Foreign Policy Studies, said users of HealthCare.gov are leaving their personal information unsecured.

"Once it goes out over the system, it is vulnerable," Bucci said. "There appears to have been a singular lack of concern for security. The site needs to receive and transmit sensitive personal information, yet it has less than state of the art security."

It's open season for hackers on the American people. And your government doesn't want you to know it.



And it probably won't be the last.

A North Carolina man got the shock of his life when he logged on to his newly created account on healthcare.gov and discovered two messages from HHS about his "marketplace eligibility."

The shock was that the letters were not addressed to him and contained personal information.

The Foundry:

Justin Hadley logged on to HealthCare.gov to evaluate his insurance options after his health plan was canceled. What he discovered was an apparent security flaw that disclosed eligibility letters addressed to individuals from another state.

"I was in complete shock," said Hadley, who contacted Heritage after becoming alarmed at the breach of privacy.

Hadley, a North Carolina father, buys his insurance on the individual market. His insurance company, Blue Cross Blue Shield of North Carolina, directed him to HealthCare.gov in a cancellation letter he received in September.

After multiple attempts to access the problem-plagued website, Hadley finally made it past the registration page Thursday. That's when he was greeted with downloadable letters about eligibility -- for two people in South Carolina.

The letters, dated October 8, acknowledge receipt of an application to the Health Insurance Marketplace and the eligibility of family members to purchase health coverage. One of the letters was addressed to Thomas Dougall, a lawyer from Elgin, SC.


Hadley wrote to Heritage on Thursday night and also contacted the U.S. Department of Health and Human Services, which administers HealthCare.gov, as well as elected officials in his state. He has yet to hear back from HHS, even though HealthCare.gov still displays the personal information of the South Carolina residents on his account.

Hadley reached out to Dougall on Friday to notify him of the breach. Dougall, who spoke to Heritage this evening, said he was evaluating health care options in early October. Dougall said he was able to register on HealthCare.gov, but decided not to sign up for insurance.

"The plans they offered were grossly expensive and didn't provide the level of care I have now," he said.

Dougall said he never saw the October 8 letter until Hadley sent it to him Friday.

After learning of the privacy breach, Dougall spent Friday evening trying to contact representatives from HealthCare.gov to no avail; he spent an hour waiting on the telephone and an online chat session was unhelpful. He also wrote to Senators Lindsey Graham (R-SC) and Tim Scott (R-SC), along with Representative Joe Wilson (R-SC).

"I want my personal information off of that website," Dougall said.

The government of the United States has knowingly opened and is encouraging the use of a website that they know is fatally flawed security-wise -- and just don't give a crap.

This isn't a breach of security. You can't breach something that doesn't exist. And don't buy the line that no personal information is stored on the site. It doesn't have to be. Hackers don't need a database to steal your information. They can spy on you in real time.

Heritage cyber-security expert Steven Bucci, director of the Douglas and Sarah Allison Center for Foreign Policy Studies, said users of HealthCare.gov are leaving their personal information unsecured.

"Once it goes out over the system, it is vulnerable," Bucci said. "There appears to have been a singular lack of concern for security. The site needs to receive and transmit sensitive personal information, yet it has less than state of the art security."

It's open season for hackers on the American people. And your government doesn't want you to know it.



RECENT VIDEOS