Heritage came out with a disturbing report on its blog last night that highlighted another security concern with the Obamacare website, in which a user evaluating his health insurance options was presented with downloadable letters that contained insurance eligibility information about other people.

From The Foundry:

[Justin] Hadley, a North Carolina father, buys his insurance on the individual market. His insurance company, Blue Cross Blue Shield of North Carolina, directed him to HealthCare.gov in a cancellation letter he received in September.

After multiple attempts to access the problem-plagued website, Hadley finally made it past the registration page Thursday. That’s when he was greeted with downloadable letters about eligibility — for two people in South Carolina. (Screenshot below.)

Marketplace-eligibility-download-heritage

The letters, dated October 8, acknowledge receipt of an application to the Health Insurance Marketplace and the eligibility of family members to purchase health coverage. One of the letters was addressed to Thomas Dougall, a lawyer from Elgin, SC.

Both Hadley and Heritage spoke with Dougall about the situation.  Dougall had apparently registered on healthcare.gov in early October but had decided not to sign up for a plan.  He had not seen the aforementioned letter until Hadley had shown it to him.

Not surprisingly, Dougall said, “I want my personal information off of that website.”

Hadley and Dougall have both contacted various representatives with healthcare.gov and HHS, but neither seems to be making much progress in rectifying the situation.  Both have also reached out to their elected officials, according to Heritage.

The apparent privacy breach demonstrates the very security concerns that many have raised about the website, but have often been dismissed by some as just theoretical.

In a CMS memo that was obtained by news outlets last week, it was revealed that a security control assessment (SCA) was only partly completed before the federal marketplace launch.  All of the security controls had not been tested in one complete version of the system, which presented a high security risk.  An excerpt from that memo read:

From a security perspective, the aspects of the system that were not tested due to the ongoing development exposed a level of uncertainty that can be deemed as a high risk… Although throughout the three rounds of SCA testing all of the security controls have been tested on different versions of the system, the security contractor has not been able to test all of the security controls in one complete version of the system.

A full assessment was deferred until after the launch, with a six month mitigation plan in place.

And in a previous report outlined in a CNN Money article, additional security flaws were revealed by an experienced software tester named Ben Simo at his blog.

While some of the issues Simo and others have raised have since been acknowledged by officials and fixed, clearly other issues still remain.

The biggest concern is the unknown – how many more situations like the one described at The Foundry are yet to be discovered?