Healthcare.gov Security Fail Is a Government Tradition

Surprised by the abysmal Healthcare.gov security? You shouldn’t be.

Internet Security

Because the Obama-compliant media is all too willing to let us forget, it is almost hard to remember all the incredible problems with the government’s healthcare exchange. But one major problem (which is almost certainly still with us) was the lack of security.

In fact, this was not just an issue of incompetence, but also of deception and reckless endangerment as Americans were encouraged (and legally required!) to entrust their personal information to an unsecure database.

But none of that is anything new.

From the Washington Post: “Federal sites leaked the locations of people seeking AIDS services for years.”

Two federal government Web sites that help people find AIDS-related medical services have begun routinely encrypting user data after years in which they let sensitive information – including the real-world locations of site visitors – onto the Internet unprotected.

Until the change, these sites had risked exposing the identities of visitors when they used search boxes to find nearby facilities offering HIV testing, treatment and other services, such as substance abuse and mental health counseling, say security experts. Government smartphone apps associated with one of the Web sites, AIDS.gov, also transmitted the latitude and longitude of users seeking services, after collecting those details from the phones of users.

The sites and apps did not themselves track visitors, but their data was handled in ways that could have enabled monitoring by employers, universities or others with access to the data flowing between individual devices – such as computers and smartphones – and the Internet. Even using a public wifi signal, offered by a coffee shop or airport, could have allowed a nearby hacker to learn that an individual user, wielding a particular type of smartphone, was seeking treatment for HIV or drug addiction.

Privacy advocates long have argued that routine encryption – using a popular protocol called SSL – should be standard for Web sites or apps handling potentially sensitive information, especially when it relates to personal medical concerns. Government officials, in response to questions posed by The Washington Post, said they came to agree that their sites created privacy risks for those seeking AIDS-related services.

This is interesting because we know that NSA has actively worked undercover in the cyber security industry to degrade and create weaknesses in online services. So maybe this is not sheer incompetence and apathy. Maybe the government actively worked to make sure our personal data was vulnerable when we used AIDS.gov.