HealthCare.gov Hacked
By
Duane Thresher, Ph.D. July 25, 2020
HealthCare.gov, the Obamacare website, was launched in October
2013. Its launch was universally considered a monumental
disaster and this was largely due to the IT incompetence of
the website's foreign (Canadian) developers. There had been
great concern HealthCare.gov would be hacked. When that
didn't happen immediately it was taken as proof that its IT
was secure. However, absence of evidence is not evidence of
absence. Most hackers want to steal sensitive data,
particularly identity data,
undetected, and go to a lot
of trouble for the undetected part, since it means they can
continue to steal data, which is constantly updated, for
years. Data breaches are thus often not discovered, and made
public,
until
years later, if ever. In early March 2020, I made the
shocking discovery, reported nowhere else, that
HealthCare.gov, via Experian, had been hacked from its launch
in October 2013 until September 2015, i.e. for 2
years.
I was at the HealthCare.gov launch, unfortunately (like me
living in Manhattan on 9/11). I was running my
own
business and needed to get my family health insurance.
Getting health insurance at HealthCare.gov then could only be
described as a multi-night nightmare; literally full
frustrating work days in front of the computer, trying,
repeatedly and unsuccessfully, to apply through the IT
incompetent HealthCare.gov website.
A big part of the problem was that HealthCare.gov used
Experian for the required identity verification
(a.k.a.
authentication)
— you couldn't get health insurance until you got
through that. Experian is one of the major credit reporting
agencies, like
Equifax.
To squeeze even more money from the personal data for credit
ratings they have gathered without permission, Experian also
offers an identity verification service. Experian pretends
that it has identity verification data on all Americans
— so its service will not fail most of the time —
but that is total nonsense. Many Americans have no credit
rating because they pay all their bills on time, don't have
any loans, and don't have credit cards.
If Experian had no identity verification data on you, like it
didn't for millions of Americans, you had to mail in paper
copies of all your ID to them before you could get health
insurance on HealthCare.gov.
Experian admitted on 1 October 2015 to a data breach lasting
over two years — from 1 September 2013 to 16 September
2015 — that exposed to hackers the private information
of anyone who used its services, including its identity
verification service. HealthCare.gov, which as described used
Experian for identity verification, was launched in October
2013,
after Experian had been hacked. So
HealthCare.gov was hacked too, and for two years (at
least).
Experian admits at least 15 million people were victims, but
this may not include the far greater millions who used
HealthCare.gov. HealthCare.gov never made this data breach
public. Why would they? HealthCare.gov has always been on
very shaky ground and under attack and a disclosure like this
could, rightfully, end them. And if HealthCare.gov wouldn't
admit the data breach, why would Experian admit that its data
breach was far worse than the 15 million people it did admit
to? Neither organization cares about anything but their own
continued existence and massive profits. They certainly don't
care about the millions of people they've hurt, their
identities stolen.
All
data breaches are caused by IT incompetence and
the
most important IT credential is a good IT education.
John Finch
was Experian's Global CIO, "Leader of Experian's Global Cyber
Security Operation", from September 2011 to August 2013.
Experian said, over two years later, that the data breach
began 1 September 2013 (it might have been earlier given that
first of the month date, which also might have been chosen to
fall between Finch's and his successor's tenures, to avoid
anyone having to take responsibility). While Finch's
successor took over in September 2013, the IT incompetent
insecure conditions that let in the hacker(s) were in place
before September 2013, and were thus Finch's
fault.
John
Finch has no IT education, only a BS in business economics
(from the low-ranked University of Hull; Finch is British).
He is a complete IT incompetent. After his disastrous stint
at Experian, Finch became the CIO for the Bank of England. He
spent only another couple of years there before fleeing again
to Thomson Reuters, the giant
media
conglomerate and owner of the news organization Reuters.
Finch seemed to run from job to job quickly so they would not
have time to discover he was IT incompetent, much like Alex
Stamos; see
Yahoo-Then-Facebook
CISO Alex Stamos Allows Yet Another Massive Data Breach.
Finch is now a private "advisor".
In early March 2020, I made the discovery that HealthCare.gov
had been hacked via Experian when I tried using the Virginia
State Corporation Commission's new website and discovered to
my horror that they use Experian for identity verification.
So I did some research into Experian identity verification,
which is no better now than it was in late 2013, and made the
discovery. I continue to deal with the Virginia State
Corporation Commission using only mailed-in paper.
I pointed all this out to the Virginia State Corporation
Commission, but they were not interested, especially since
they were already having huge problems with their new IT
incompetent website (sound familiar?). Maybe they'll be
interested when ownership of some of the major corporations
registered in Virginia starts being stolen by
hackers.