Despite warnings and concerns over the fact that websites used to manage the nation's healthcare exchange programs are at risk, and none more so than HealthCare.gov, one them is already dealing with the fallout from a data breach. According to reports, Vermont has disclosed a data breach linked to their healthcare domain, after the victim whose records were exposed reported the problem.
Vermont Health Connect, the healthcare exchange that opened on October 1 under the Affordable Care Act, managed by the state itself, issued a report to federal officials that described the breach, which occurred on October 17. According to the report, obtained by the Associated Press, the state was notified about the breach after one of the victims sent them a letter.
The person who reported the problem wasn't named in the report. However, Greg Needle, the privacy administrator with Vermont Health Connect, confirmed that this person's Social Security Number, as well as information submitted to the exchange during the application process, was obtained by an unauthorized party. In a letter sent to the Centers for Medicare and Medicaid Services (CMS) by Needle, the person learned about the breach due to an anonymous letter.
The letter itself was a copy of the unnamed person's application, along with a message written on the last page of the application and the back of the envelope that said, "VERMONT HEALTH CONNECT IS NOT A SECURE WEBSITE!"
While the report to CMS outlines a single example, which is only known because the person impacted reported it on their own, there is no way to tell if others received the same anonymous warning. On the Vermont Health Connect website, there is no mention of the incident.
In a statement, Mark Larson, the commissioner of the Department of Vermont Health Access, said the incident was "one case and it was responded to appropriately," adding that the "unique circumstances" that led to the breach cannot be repeated due to his department's efforts.
Only 16 other states outside of Vermont manage their own portals for the Affordable Care Act, all others use HealthCare.gov. When asked his thoughts about this latest incident, Dave Kennedy, the CEO of TrustedSec LLC, and one of the people who recently testified during a hearing by the House of Representatives Science, Space and Technology Committee about the high-levels of risk on HealthCare.gov, thinks this is just the beginning.
"I think we will see a lot of exposures and breaches occur on both the state and federal level. HealthCare.gov is only the start, there are a number of states that built their own state exchanges [and] the technology between them is completely different per state in most cases," he told CSO in an interview.
For example, he noted, some of the state-managed healthcare exchanges are custom coded using PHP, while others use a CMS such as SharePoint (or Drupal). Many of these platforms have known exposures on them already, such as cross-site scripting, open redirects, and others. "I think there's some serious concern here," he said.
As to the questionable method of disclosure, for those attempting to help by exposing the security flaws on a given healthcare website, anonymous letters are not the way to go. However, Kennedy said, for those who lean towards full and open disclosure, or worse criminals out for outright data theft, the moral stance of ethical and responsible vulnerability reporting means very little to them.
"We should be cautious and contact notified parties in a responsible and ethical manner. This isn't always going to be the case for individuals that lean more towards open disclosure or worse, stealing the information for online theft," Kennedy explained.
In the end, Vermont's security problems are likely just the beginning. Information is a valuable commodity to criminals, and repositories like this are painted targets.
"These exchanges will have a vast amount of information about individuals within the state, it's going to be a treasure trove for criminals for a number of years to come," added Kennedy.