Sebelius questioned about Obamacare site security

  @Jose_Pagliery October 30, 2013: 4:02 PM ET
obamacare security hole
NEW YORK (CNNMoney)

At a House hearing on Wednesday, U.S. Secretary of Health Kathleen Sebelius acknowledged security concerns facing Healthcare.gov but said the site had not been hacked.

Until last week, anyone could easily reset Obamacare applicants' passwords and potentially hijack their accounts. The glitch was discovered last week by a software tester in Arizona, and CNNMoney reported the security vulnerability on Tuesday. Health spokeswoman Joanne Peters told CNNMoney that the Department of Health made key changes this week, eliminating the "theoretical vulnerability."

Sebelius rebutted incorrect assertions by Republican Congressmen that the website had been hacked.

"There was not a breach," Sebelius said. "It was a theoretical problem that was immediately fixed."

Related story: Security hole found on Obamacare website

Though the security hole was never exploited, the problem was quite real -- at least until last week. Anyone who could guess an existing user name and had a basic understanding of how to read a website's code could potentially access someone's account.

Congressman Mike Rogers, R-Mich., also asked Sebelius about the security implications of putting in so many patches and fixes. He said that adding in new computer code exposes the entire system to new risks. He also accused health officials and their many contractors of not performing a system-wide security test, a tech industry standard.

"You did not have the most basic end-to-end test on security in the system" Rogers said. "Amazon (AMZN, Fortune 500) would never do this."

When Rogers asked if the federal government would be willing to shut down the Obamacare website until such a test is done, Sebelius said no.

Related story: Obamacare site has another outage

Apparently, red flags on security issues had been raised before. When Rogers questioned Sebelius, he disclosed the existence of a memo in which top health officials warned Sebelius that the Obamacare system didn't complete a necessary security test because of "system readiness issues."

During the hearing, Sebelius spoke at length about the website's many issues, apologized for its shortcomings and promised they would all be resolved by the end of November -- even while most of the site remained down Wednesday morning.

"Hold me accountable for the debacle. I'm responsible," she said. To top of page



Join the Conversation

Market indexes are shown in real time, except for the DJIA, which is delayed by two minutes. All times are ET. Disclaimer LIBOR Warning: Neither BBA Enterprises Limited, nor the BBA LIBOR Contributor Banks, nor Reuters, can be held liable for any irregularity or inaccuracy of BBA LIBOR. Disclaimer. Morningstar: © 2014 Morningstar, Inc. All Rights Reserved. Disclaimer The Dow Jones IndexesSM are proprietary to and distributed by Dow Jones & Company, Inc. and have been licensed for use. All content of the Dow Jones IndexesSM © 2014 is proprietary to Dow Jones & Company, Inc. Chicago Mercantile Association. The market data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved. FactSet Research Systems Inc. 2014. All rights reserved. Most stock quote data provided by BATS.