Forgot your password?
typodupeerror
Government Bug Medicine Privacy United States

Preventative Treatment For Heartbleed On Healthcare.gov 81

Posted by timothy
from the welcome-to-centralized-medicine-dot-gov dept.
As the San Francisco Chronicle reports, "People who have accounts on the enrollment website for President Barack Obama's signature health care law are being told to change their passwords following an administration-wide review of the government's vulnerability to the confounding Heartbleed Internet security flaw." Take note, though; the article goes on to immediately point out this does not mean that the HealthCare.gov site has been compromised: "Senior administration officials said there is no indication that the HealthCare.gov site has been compromised and the action is being taken out of an abundance of caution. The government's Heartbleed review is ongoing, the officials said, and users of other websites may also be told to change their passwords in the coming days, including those with accounts on the popular WhiteHouse.gov petitions page." Also at The Verge
This discussion has been archived. No new comments can be posted.

Preventative Treatment For Heartbleed On Healthcare.gov

Comments Filter:
  • by davidhoude (1868300) on Saturday April 19, 2014 @10:45PM (#46797787)

    Due to the fact that this exploit leaves no traces in server log files, we have concluded that there is no evidence of an attack on our servers.

  • by SuperKendall (25149) on Saturday April 19, 2014 @11:28PM (#46797891)

    I have no love for Healthcare.gov, but honestly just about every site is sending out notices that people may want to change passwords. Heck, Yahoo *made* me change my password.

    Like everyone else they don't know if anything was taken. And frankly, Heatbleed is probably the least of the security issues Healthcare.gov has... I'd be way more worried about backbend systems, and then it doesn't matter what your password is.

  • by laird (2705) <lairdp@gma i l .com> on Sunday April 20, 2014 @01:18AM (#46798141) Journal

    The site doesn't have any medical information at all. That's one of the advantages of outlawing the "pre-existing condition" scam - you no longer have to tell insurers your medical history to buy insurance. And the web site only needs enough other information to verify your identity and income (for computing the subsidy you qualify for, if any). And since they don't collect any payments, they have no payment info (no credit card numbers, etc.) or any credit history.

    And on top of that, once the data is passed to the insurance company and accepted by them, the personal data is purged from the web site.

    So all you can get by hacking the site is the partial data from people who haven't completed the process yet. And that's mainly name, social security number, and claimed income. Which is much less information than anyone on the planet can buy about anyone in the US for a few dollars from any credit reporting service - for a few bucks, they'll sell your complete transaction history, credit ratings, income, debt, etc., - all much scarier than the minimal amount of info on the healthcare site.

How many hardware guys does it take to change a light bulb? "Well the diagnostics say it's fine buddy, so it's a software problem."

Working...