Image 01 Image 03 user presented with stranger’s eligibility letter user presented with stranger’s eligibility letter

Heritage came out with a disturbing report on its blog last night that highlighted another security concern with the Obamacare website, in which a user evaluating his health insurance options was presented with downloadable letters that contained insurance eligibility information about other people.

From The Foundry:

[Justin] Hadley, a North Carolina father, buys his insurance on the individual market. His insurance company, Blue Cross Blue Shield of North Carolina, directed him to in a cancellation letter he received in September.

After multiple attempts to access the problem-plagued website, Hadley finally made it past the registration page Thursday. That’s when he was greeted with downloadable letters about eligibility — for two people in South Carolina. (Screenshot below.)


The letters, dated October 8, acknowledge receipt of an application to the Health Insurance Marketplace and the eligibility of family members to purchase health coverage. One of the letters was addressed to Thomas Dougall, a lawyer from Elgin, SC.

Both Hadley and Heritage spoke with Dougall about the situation.  Dougall had apparently registered on in early October but had decided not to sign up for a plan.  He had not seen the aforementioned letter until Hadley had shown it to him.

Not surprisingly, Dougall said, “I want my personal information off of that website.”

Hadley and Dougall have both contacted various representatives with and HHS, but neither seems to be making much progress in rectifying the situation.  Both have also reached out to their elected officials, according to Heritage.

The apparent privacy breach demonstrates the very security concerns that many have raised about the website, but have often been dismissed by some as just theoretical.

In a CMS memo that was obtained by news outlets last week, it was revealed that a security control assessment (SCA) was only partly completed before the federal marketplace launch.  All of the security controls had not been tested in one complete version of the system, which presented a high security risk.  An excerpt from that memo read:

From a security perspective, the aspects of the system that were not tested due to the ongoing development exposed a level of uncertainty that can be deemed as a high risk… Although throughout the three rounds of SCA testing all of the security controls have been tested on different versions of the system, the security contractor has not been able to test all of the security controls in one complete version of the system.

A full assessment was deferred until after the launch, with a six month mitigation plan in place.

And in a previous report outlined in a CNN Money article, additional security flaws were revealed by an experienced software tester named Ben Simo at his blog.

While some of the issues Simo and others have raised have since been acknowledged by officials and fixed, clearly other issues still remain.

The biggest concern is the unknown – how many more situations like the one described at The Foundry are yet to be discovered?


Donations tax deductible
to the full extent allowed by law.



pathfindersgt | November 3, 2013 at 3:22 pm

wow. just……wow. the incompetence of all responsible with this law and its’ associated site(s) is simply stunning.

can we really even be surprised at the depths we find it reaches anymore?

Whatever: It only the little people’s information that is being put at risk, not that of the ruling class, so what difference does it make?

    JPL17 in reply to Rick. | November 3, 2013 at 5:28 pm

    The difference is that it’s the little people who’ll need to sign up on the Obamacare exchanges in droves in order for Obamacare not to crash + burn. If enough of them come to believe that uploading their personal data onto the Obamacare website is the same as publishing it in the NY Times, they’ll STAY AWAY in droves. These security breaches could therefore doom the whole project.

      Rick in reply to JPL17. | November 3, 2013 at 5:33 pm

      So, in addition to having dropped “is” I should have included a /sarc tag.
      Your point is well taken, and I hope that this lack-of-security feature encourages more folks to stay away from obamacare.

“I want my personal information off of that website.”

Sorry, no can do. There is no provision for deleting your account or your information.

I’d have to disagree with the claim that this is a security issue. If you think of security as an impenetrable skin, it still requires that whatever it is there to protect works in the first place, and this obviously doesn’t. To put it another way, even if the security were functioning correctly, the system could still put out the wrong information.

    QualityFrog in reply to fmc. | November 4, 2013 at 10:43 am

    This is a security issue. Security is more than just keeping the unwanted out of the system. Security includes keeping information properly compartmentalized. Security includes ensuring that one person’s information isn’t made available to another person.

I don’t think all the bugs will be shaken out by January 1st.

There’s a good chance, given that policies have been cancelled … is that some “emergency plan” will have to emerge from Warren Buffett … so that there won’t be a gap in coverage.

For whom? Those already “in care.” And, those who fall sick over the holidays. Which usually sees a rise in heart attacks.

Drudge also leads that “all” doctors will have to cover anyone who walks in the door. So? Doors will need to be bolted shut. And, doctors will need unlisted phone numbers.

Since there’s no tort reform, I guess there will be law suits marching along this House of Cards.

The other thing? Well, it’s the economy. You’re going into the biggest retail time to sell stuff for Christmas. And, people won’t have any money.

They’ll have (if they can get it) astronomical increases in health costs. And, wages aren’t going up.

What did Obama really want? Well, he’s been looking for a surge in prices. Rather than watching our economy flat lining.

You know, if Obama didn’t see this coming, he’s just plain stupid.

But I knew that.

Medicare, by the way, continues. But rates go up. From my current rate of $28 a month, it zooms to $80 a month. So? Well, doesn’t that mean more of the (close to same) social security check now get diverted back to the government?

The big mistake? Call it what you want, but IF Health Care ain’t ready … doesn’t it make the government shutdown look foolish? Isn’t there going to have to be a delay towards implementation?

Will the final argument be that the republicans were requesting a year … So the politicians could survive November 2014. And, let’s say you wave a magic wand. Do you want this expensive experiment to hit American wallets before they go to the polls next year?

Most surprising of all is that both parties hire professionals. They’d be better hiring optometrists, so they could see the handwriting on the wall.

Can you file a HIPAA complaint against the federal government?

“I want my personal information off of that website.”

Hah! And just who does this guy think he is? Back in line slave! You need to just do your duty and pay up for everyone else. Follow the wise words of Vice President Double Barrel er Joe Biden and remember, paying your taxes is patriotic!

[…] user presented with stranger’s eligibility letter […]

Readers – If you have individual insurance, please, please for your own safety just sign up directly with an insurance company. In my case Regence Blue Shield of Washington had similar plans as the exchange (maybe $10/month higher) but I kept my doctor network AND my financial privacy.