HealthCare.gov: Change Passwords

Heartbleed Bug Prompts Precautions
HealthCare.gov: Change Passwords

The Department of Health and Human Services is requiring consumers to change their passwords on the HealthCare.gov website as a precaution against the Heartbleed bug.

See Also: Webinar | The Future of Adaptive Authentication in Financial Services

A notice on HealthCare.gov, the website for the federally facilitated health insurance marketplace under the Affordable Care Act, or Obamacare, says, "Recently, you may have heard about a new Internet security weakness, known as Heartbleed, which is impacting some websites. HealthCare.gov uses many layers of protections to secure your information. While there's no indication that any personal information has ever been at risk, we have taken steps to address Heartbleed issues and reset consumers' passwords out of an abundance of caution."

The notice continues, "This means the next time you visit the website, you'll need to create a new password. We strongly recommend you create a unique password - not one that you've already used on other websites. ... There's no indication that Heartbleed has been used against HealthCare.gov or that any personal information has ever been at risk. However, we're resetting current passwords out of an abundance of caution, to ensure the protection of your information."

In a statement provided to Information Security Media Group the morning of April 21, HHS' CISO Kevin Charest says, "There has been no effect from Heartbleed for Healthcare.gov. This is simply following the best practices established, which include a number of steps such as patching, reinstalling encryption keys, and end user password resets."

Charest said in an recent interview, conducted before the Heartbleed bug was revealed by security investigators, that there have been "no successful malicious attacks on the [HealthCare.gov] site or systems."

The site is undergoing "end-to-end" security testing every quarter, even though the federal government requires such testing every three years, he added. The quarterly testing will likely continue for the next year or two, "then move to a reasonable cycle" he said. Also, before the next open enrollment period begins on Oct. 1, the HealthCare.gov technical and security team will be busy at work updating the site and systems with new health plans being offered by insurers, Charest said. "We're continually improving the site," he added.

"We continue to be vigilant; that's not a boast. It's simply saying we've done the things needed to protect the site," he said. "Anything can be compromised, I'm not trying to say we will never have a problem because that would be foolish, too. But I will say that we take this very seriously."

Heartbleed exposes a flaw in OpenSSL, a cryptographic tool that provides communication security and privacy over the Internet for applications such as e-mail, instant messaging and some VPNs (see Heartbleed Bug: What You Need to Know).


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.