Security was the last thing I was pondering when I first tried to log onto HealthCare.gov nearly two months ago. I just wanted to find an affordable policy for my family of four.
I never was able to log on despite hours of attempts, although I did manage to submit an application via the toll-free number (800-318-2596). As I tried to follow up and pin down an appropriate policy recently, though, my security claxon went off.
Last week, I received several calls from a representative who claimed to be from HealthCare.gov. She was trying to obtain some more information for my application and claimed to be from a "processing center in Arkansas."
Since I've written extensively about scams elsewhere (see my "Bamboozlement" blog on Forbes.com), my nose shot up like a terrier sensing a rodent. Why would someone call me, I wondered? Wouldn't they want to send me a secure email or an old-fashioned certified snailmail letter? When my tax preparer, for example, sends me my completed tax forms via email, the file is secured with a password.
When I spoke to the representative, my meager knowledge of security kicked in. Could she provide some identifying information such as my date of birth, address or Social Security number?
"No, I'm sorry, we're not allowed to do that," she said politely.
"Well, how about some identifying code that was submitted with my application," I retorted.
Since I wasn't provided even so much as an application number – only the name of the phone representative when I applied three weeks ago – this wasn't much help, either.
"Well, of course, I don't know who you are or where you're calling from," I said in a cautious tone. "I've heard about lots of scams where people are calling for `Obamacare verification.' I'll need something to tell me who you are and where you work."
"I'm sorry. We can’t give out that information."
We hit an impasse, but she said she could send a letter. Since I'm still anxious to review policies and premiums, I'm willing to be patient; she provided me an application number for future reference. Whether that's a meaningful identifier remains to be seen. I just won't give out vital information unless I know whom I'm talking to on the other end of the phone.
Still, there was the specter of some major security issues looming over this flawed process. I had supplied all of my family's Social Security numbers and dates of birth. Although I knew I was speaking to HealthCare.gov on my original call, what was being done to secure this information in their fractured system?
An identity thief could go to town on the basic information I provided. What was the government doing to safeguard this data?
While I want the exchange to provide my family with decent coverage at an affordable price – my initial inquiries suggest that's possible – I don't want to have to cancel all of my credit cards in the event someone steals our Social Security numbers. I've been the victim of identity theft twice and it's no picnic.
The Department of Health and Human Services has denied the possibility of any security breaches in HealthCare.gov. Obama administration tech official Henry Chao testified to Congress Nov. 19 that the site met all security benchmarks, and that the government and its contractors on the project were “hard at work to design, build and test secure systems that ensure Americans are able to enroll in affordable health care coverage.”
But isn't it possible that, since they botched the basic interface, HealthCare.gov's techies might not have written strong code for security? In the same testimony, Chao offered scant reassurance, noting his team "has yet to complete 30 to 40 percent of the overall project.
There's the dispute as to whether proper front-end security testing was even done for the troubled system. Health and Human Services Secretary Kathleen Sebelius insisted that it was in a statement she made to the Associated Press, while a government contractor with The Mitre Corporation told another story.
Jason Providakes, a senior vice president at Mitre, told Congress that, “Mitre is not in charge of security for HealthCare.gov. We were not asked, nor did we perform ‘end-to-end’ security testing. We have no view on the overall ‘safety’ or security status of HealthCare.gov.” (Providakes did also testify that he had entered his own personal information on the site and felt comfortable doing it.)
Does HealthCare.gov need to be shut down to ensure that the security firewall is secure, as some have suggested? Until I have some assurance that my personal data is protected, I'm wary about using the site. The system was designed to be a safety net, not a security trap door.
Top Reads from The Fiscal Times: