Obamacare Enrollees Urged to Change Passwords over Heartbleed Bug

The Obama administration warned online healthcare enrollees to changed their passwords following an administration-wide review of the government’s vulnerability to the confounding Heartbleed Internet security flaw.

Authorities claim there's no evidence that anyone's personal information has been compromised, but the passwords were reset "out of an abundance of caution." Photo: Sucesospr.com/Flickr

Authorities claim there’s no evidence that anyone’s personal information has been compromised, but the passwords were reset “out of an abundance of caution.” Photo: Sucesospr.com/Flickr

Americans who have accounts on presidential health insurance enrollment website are asked to change their passwords as a precaution against the infamous Internet security bug Heartbleed to protect personal information.

Enrollees who have accounts will be prompted to create new ones the next time they visit the site, according to an announcement posted on HealthCare.gov, a federal website managed by the U.S. Centers for Medicare & Medicaid Services.

“While there’s no indication that any personal information has ever been at risk, we have taken steps to address Heartbleed issues and reset consumers’ passwords out of an abundance of caution,” said the message posted on Saturday. The announcement recommends users to create a unique password, the one that has never been used befor on other websites.

Heartbleed flaw, first discovered by Google and Codenomicon and introduced in early 2012 in a minor adjustment to the OpenSSL protocol,  appears to be one of the biggest flaws in the Internet’s history, affecting the basic security of as many as two-thirds of the world’s websites. The bug can reveal the contents of a server’s memory, where the most sensitive of data is stored, including usernames, passwords, and credit card numbers.

At the same time Heartbleed became public, hackers around the world were sharing tools to take advantage of the new vulnerability of certain websites, Krebs wrote on his blog Krebsonsecurity.com.

HealthCare.gov, a health insurance exchange for the 36 states that opted out of creating their own state insurance exchanges, was created under Obama’s signature health care law, the 2010 Patient Protection and Affordable Care Act.

The health care website came under fire of critics last fall when the opening of the insurance enrollment period revealed widespread flaws in the online system, as many people couldn’t simply access the site to get insurance or research healthcare plan options. The concerns were raised about website’s potential security vulnerabilities, because customers input large amounts of personal data.

“We will continue to focus on this issue until government agencies have mitigated the vulnerability in their systems,” Phyllis Schneck, DHS deputy undersecretary for cybersecurity and communications, wrote in a blog post on the agenda website. “And we will continue to adapt our response if we learn about additional issues created by the vulnerability.”

The news about the password reset broke two days after President Barack Obama announced that eight million people have signed up for the Affordable Care Act during the open enrollment period, with 2.2 million of them between 18 and 34 years old.

Previously, it was expected to achieve a level of 38 percent of people in the 18 to 34 age range, to give insurers a strong mix of healthier members whose premium payments help offset the cost of older, sicker policyholders. The figures the White House announced Thursday constitute 28 percent of total sign-ups.

The President urged Republicans, who remain almost universally opposed to the health care law, to move on. “I find it strange that the Republican position on this law is still stuck in the same place that is has always been. They still can’t bring themselves to admit that the Affordable Care Act is working,” he said.

Share this article

We welcome comments that advance the story directly or with relevant tangential information. We try to block comments that use offensive language, all capital letters or appear to be spam, and we review comments frequently to ensure they meet our standards. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Coinspeaker Ltd.