Preventative Treatment For Heartbleed On Healthcare.gov

As the San Francisco Chronicle reports, "People who have accounts on the enrollment website for President Barack Obama's signature health care law are being told to change their passwords following an administration-wide review of the government's vulnerability to the confounding Heartbleed Internet security flaw." Take note, though; the article goes on to immediately point out this does not mean that the HealthCare.gov site has been compromised: "Senior administration officials said there is no indication that the HealthCare.gov site has been compromised and the action is being taken out of an abundance of caution. The government's Heartbleed review is ongoing, the officials said, and users of other websites may also be told to change their passwords in the coming days, including those with accounts on the popular WhiteHouse.gov petitions page." Also at The Verge

Re:Yea right...

[Penguinisto]

Leads to an honest question that cropped up... does the federal government have to abide by any sort of data-breach reporting laws (be they state or federal)?

(maybe they have their own, maybe they're exempt... I'm not a lawyer, but it'd be worth looking up...)

Absurd position by the government

[JohnM4]

This is completely absurd. They have to know right away whether or not their website logins were vulnerable (that is, were they running OpenSSL with the bug) or whether they were running other versions of SSL without heartbleed. It's a black and white situation. There's no gray middle ground.