HealthCare.gov urges password resets due to Heartbleed

Officials are urging those with accounts on HealthCare.gov to reset their passwords due to the Heartbleed vulnerability.

heartbleed
Credit: Heartbleed.com/Thinkstock

As if the website didn't have enough problems to deal with...

Administrators on HealthCare.gov, the enrolment website for President Obama's Patient Protection and Affordable Care Act – referred to by some as Obamacare, have reset user passwords after an audit determined that the servers hosting the insurance exchange were vulnerable to Heartbleed.

In a notice posted to the website on Saturday, users are told that while there has been no indication of information loss, the passwords were reset out of an abundance of caution.

"There’s no indication that Heartbleed has been used against HealthCare.gov or that any personal information has ever been at risk. However, we’re resetting current passwords out of an abundance of caution, to ensure the protection of your information."

As of Monday morning, visitors to the website and those who attempted to login over the weekend seem to be the only ones told of the changes. The official Twitter and Google+ accounts for HealthCare.gov haven't addressed the topic.

The Internet has been buzzing about Heartbleed since it was disclosed earlier this month, and HealthCare.gov is just the latest mainstream website to have been impacted by the vulnerability.

The ACA website isn't the only domain impacted though. Senior officials for the Obama administration told the Associated Press that other government websites might produce similar warnings, including Whitehouse.gov, where the We the People petitions page is hosted.

In a blog post, DHS deputy undersecretary for cybersecurity and communications, Phyllis Schneck, said it will take time for the government to address the Heartbleed issue properly.

"As we conduct the scans of government systems and agencies conduct their own reviews, many government websites turn out to have never been vulnerable to Heartbleed because they did not use OpenSSL; in those cases, no further action is needed at this time. However, in those cases where agencies determine that a website or system could have been vulnerable to Heartbleed, they are taking the same steps as the private sector..."
"We will continue to focus on this issue until government agencies have mitigated the vulnerability in their systems. And we will continue to adapt our response if we learn about additional issues created by the vulnerability."
To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.