HealthCare.gov Suffered 316 Security Incidents

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
Hmmmm, on average, this is more that one security breach every other day for 18 months straight. Does anyone know what they spent all that money on when they "fixed" HealthCare.gov?

Obamacare faced more than 300 security incidents over an 18-month span, the government's top watchdog said Wednesday in a report finding the federal HealthCare.gov website is still riddled with vulnerabilities behind the scenes. The Government Accountability Office said some of the incidents were attacks by hackers poking to find weaknesses, though investigators do not think they were able to steal any critical personal information such as birth dates or Social Security numbers.
 
Before this turns into a shit show about the ACA, I just want to point out that gamerk2 is on the money. The real question is whether it is improving and whether security is getting the proper funding. Just having incidents like these does not merit a OMG THE GUBBAMINTZ SUXX!

Also, note the lack of anything about the ACA in this post. Don't jumpt to conclusions about what I think just because I'm not foaming at the mouth over this.
 
And I just want to point out that just because you might lean a certain way politically doesn't mean its an excuse for poor security on a site that would depend on maintaining consumer privacy.

It's not acceptable regardless of where you fall on the political spectrum, and people need to stop being enablers.

Steve, as to where the money went - into the political coffers for the next campaign, of course - that, and that 3 million dollar yacht.... ;)
 
Honestly, 316 incidents over 18 months for such a public website, with that much potential money for stolen information, is not that high.

Exactly. And at least we know about it. Unlike data breaches at Nieman, and Target, and....and...and...and...

How many data breaches did private insurance companies and health care companies suffer each in the same period? No one knows.
 
Honestly, 316 incidents over 18 months for such a public website, with that much potential money for stolen information, is not that high.
Nice rationalization... It's not really, really, really bad; it's only really, really bad...

Even Chelsea Clinton is condemning 0bamacare. Isn't fascism government control over privately own businesses?
 
Nice rationalization... It's not really, really, really bad; it's only really, really bad...

Even Chelsea Clinton is condemning 0bamacare. Isn't fascism government control over privately own businesses?

Quick, how many data breaches at Geico were there in 2015? How about at State Farm? How about at Farmer's? Nationwide?

316 is bad....but only because no one knows how many breaches occurred at private companies. I'll bet money that if we knew how insecure private insurance companies were and how many data breaches each had were public knowledge--we'd be singing praises to the Healthcare Exchange IT dept.
 
Honestly, 316 incidents over 18 months for such a public website, with that much potential money for stolen information, is not that high.

It is for the outrageous amount of money spent on it and it is still far from finished.
 
It is for the outrageous amount of money spent on it and it is still far from finished.

Tell me how much money Target spends on IT...and how many data breaches of what size they've had in the last 18 months.

GO.
 
Tell me how much money Target spends on IT...and how many data breaches of what size they've had in the last 18 months.

GO.


Tell me, would you be defending this THIS hard if the ACA was put in place by a Republican? GO.

On second thought, no need - we all already know the answer. ;)
 
And I just want to point out that just because you might lean a certain way politically doesn't mean its an excuse for poor security on a site that would depend on maintaining consumer privacy.

It's not acceptable regardless of where you fall on the political spectrum, and people need to stop being enablers.

Steve, as to where the money went - into the political coffers for the next campaign, of course - that, and that 3 million dollar yacht.... ;)


Security Incidents do not equate to security breaches. Any probe is a security incident. Someone leaving their smart card in their smart card reader is a security incident, etc etc. Someone getting a spearphishing email is a security incident. Getting the picture?

Even a site with perfect security would still have security incidents as long as someone is trying to get in to it.
 
Tell me, would you be defending this THIS hard if the ACA was put in place by a Republican? GO.

I can't speak for Skripka, but the ACA is funded by all of our tax dollars, none of which care about the distinction between Republican and Democrat. We know that the incidents occurred, we know that the ones listed were fixed, and we know that no personal information was leaked as a result.

Some things we are missing:
  • How many data "incidents" do private companies have to deal wtih yearly?
  • How many data "incidents" do public web sites with similar traffic have?
  • Of the 41 breaches that were mentioned in the article, what was their severity?
  • What is the distinction between "incident" and "breach?"
  • Is security improving over time?
  • Is security being funded at a high enough level?
None of the things we are missing care about Republicans or Democrats. If you have decided that the ACA is bad no matter what, then that's your problem. Based on the data, we can't make a valid claim that security is terrible or that tax dollars have been wasted. Since the ACA is a public operation, those details will come out over time, and then we can judge.
 
Tell me, would you be defending this THIS hard if the ACA was put in place by a Republican? GO.

On second thought, no need - we all already know the answer. ;)

I don't have to...because they never would. Your question is like asking how many angels can dance on the head of a pin.

I do however know based on leaked info some insight as to how god-awful data security is in the private sector...and schlepping healthcare and insurance to the private sector is what Republicans have been after for years. However bad the exchange security is, the private sector is as bad or worse, we are just kept in the dark about it.
 
Tell me, would you be defending this THIS hard if the ACA was put in place by a Republican? GO.

On second thought, no need - we all already know the answer. ;)

That's unfair, and stupid.

In fact, Skripka isn't defending anything at all except his position that this report isn't indicative of a failing. I agree with him, that without characterizing the nature of the security incidents in question that all this shows is that the site is someone's favorite target of the month.
 
my mail server probably gets attacked 300 times a day, I am not surprised
 
See guys?

Look, I am not saying they don't have security issues. What I am saying is that reported Security Incidents, as a number without detail to their nature, is not a reliable indicator.

EDIT: BTW, that linked article keeps coming up really bad for me. Is it actually an article hosted from another site where we can get a better link to it? Looks like it's originally an AP article.

Is this the same article?
Report: HealthCare.gov logged 316 cybersecurity incidents
 
Last edited:
Hmmmm, on average, this is more that one security breach every other day for 18 months straight. Does anyone know what they spent all that money on when they "fixed" HealthCare.gov?

Obamacare faced more than 300 security incidents over an 18-month span, the government's top watchdog said Wednesday in a report finding the federal HealthCare.gov website is still riddled with vulnerabilities behind the scenes. The Government Accountability Office said some of the incidents were attacks by hackers poking to find weaknesses, though investigators do not think they were able to steal any critical personal information such as birth dates or Social Security numbers.

Nice leap there steve...

I misread the every other day part. Sorry steve.
 
Last edited:
Nice leap there steve...

Security incident and security breach are not even remotely the same thing. Anything can be an incident, a breach is someone actually getting past security.

Also can you explain how 316 incidents over 18 months magically equals an average of one incident a day over 18 months? Those are some interesting averages. :rolleyes: It actually averages to 0.57 incidents per day...

Normally i dont get into the whole "steve news drama" but this is some first class bullshit if i have ever seen it. Flat out manipulating wording and bullshit math to exaggerate an issue. WTF...


Really no different than what other people are doing here in the thread to defend it.

Life goes on, lol.
 
Nice leap there steve...

Security incident and security breach are not even remotely the same thing. Anything can be an incident, a breach is someone actually getting past security.

Also can you explain how 316 incidents over 18 months magically equals an average of one incident a day over 18 months? Those are some interesting averages. :rolleyes: It actually averages to 0.57 incidents per day...

Normally i dont get into the whole "steve news drama" but this is some first class bullshit if i have ever seen it. Flat out manipulating wording and bullshit math to exaggerate an issue. WTF...


Disposed, your right about what a Security Incident is or isn't. And I haven't done the math myself and don't really care to as it's mostly immaterial. But I think your conclusion is a little on the harsh side.

Steve finds articles that he thinks we'll enjoy debating over. Some of us enjoy them more then others. And although Steve puts his little comments in there I think they are more about generating interest then about communicating his personal position.
Since you are so much better at math than I, how about taking Steve's "one incident a day over 18 months" and reverse engineer his match, see if you can figure out his error. If you can then I'd say that's all it was, an error, human error. If you can't then maybe he pulled it out of his ass to hype the post, or maybe he's just so bad at math that an expert like yourself just can't get there.

Either way, without something that amounts to proof backing up your statement, I'll call a "Ned Pepper" on this one.
 
Did it always say every other day? Am i losing my mind? If so seriously i apologize.
 
Yeah, it did. I remember seeing it on the front page right after he posted it.
 
Disposed, your right about what a Security Incident is or isn't. And I haven't done the math myself and don't really care to as it's mostly immaterial. But I think your conclusion is a little on the harsh side.

Steve finds articles that he thinks we'll enjoy debating over. Some of us enjoy them more then others. And although Steve puts his little comments in there I think they are more about generating interest then about communicating his personal position.
Since you are so much better at math than I, how about taking Steve's "one incident a day over 18 months" and reverse engineer his match, see if you can figure out his error. If you can then I'd say that's all it was, an error, human error. If you can't then maybe he pulled it out of his ass to hype the post, or maybe he's just so bad at math that an expert like yourself just can't get there.

Either way, without something that amounts to proof backing up your statement, I'll call a "Ned Pepper" on this one.

Not one time in the article is the word breach used. Why reword it if not to play it up? Steve is not a stupid guy, he knows a breach is a much bigger deal than an incident. He also knows that 316 incidents in 18 months is pretty damn insignificant, especially with no details. My torrent server has more security incidents in that time than that... Turn your routers logging on, some routers will report every likttle damn thing as a security incident even down to every single blocked packet in some cases.
 
And I just want to point out that just because you might lean a certain way politically doesn't mean its an excuse for poor security on a site that would depend on maintaining consumer privacy.

It's not acceptable regardless of where you fall on the political spectrum, and people need to stop being enablers.

Steve, as to where the money went - into the political coffers for the next campaign, of course - that, and that 3 million dollar yacht.... ;)
I bet you're one of those who said Macs were inherently more secure than PCs, when it was (and is) a case of expending resources where you're most likely to get a pay off. Every website gets attacked. And every website is vulnerable. But as someone else said, the main question is what is the attack rate look like over time?
 
Not one time in the article is the word breach used. Why reword it if not to play it up? Steve is not a stupid guy, he knows a breach is a much bigger deal than an incident. He also knows that 316 incidents in 18 months is pretty damn insignificant, especially with no details. My torrent server has more security incidents in that time than that... Turn your routers logging on, some routers will report every likttle damn thing as a security incident even down to every single blocked packet in some cases.


Umm, Because I think if you take a moment and ask him, he's going to tell you that he actually thought a security incident equated to some kind of breach or penetration. I just don't think Steve knew at that time that even an attempt at defeating security, even a port probe, would constitute a security incident. I think it's just an honest mistake born of a little ignorance when it comes to government IT babble. I know Steve is a smart guy, but it's not the first time I've seen him make a mistake. I don't think his intentions were to misrepresent anything. I think he just wanted to give it his normal flair for dramatic effect.

And I don't even think it deserves a whole lot more attention. Give him one of these :facepalm: as a reward, I bet he takes it in good grace.
 
"This could have been avoided if we had more money" in 3.....2.....1.....
 
Security Incidents do not equate to security breaches. Any probe is a security incident. Someone leaving their smart card in their smart card reader is a security incident, etc etc. Someone getting a spearphishing email is a security incident. Getting the picture?

Even a site with perfect security would still have security incidents as long as someone is trying to get in to it.

Oh my God, they must be serving iced tea in hell because lcpiper and I agree on something. Incidents != breaches.
 
Knowing the company (CGI) that coded that site I'm not really surprised. They probably charged the government like 100 grand to fix each security hole too.
 
That's pretty good, considering the profile of the site we're talking about.

It's also pretty good considering 47% of Americans dislike the law for various reasons.

You can't tell me this sucker hasn't got a big ol' target on its back.
 
Oh my God, they must be serving iced tea in hell because lcpiper and I agree on something. Incidents != breaches.
Technically that's true. But Incidents could = Breach or Worse. And when you consider the source and their tendency to nuance their disasters and a media that lets them away with it. It would be unwise to do anything but conclude the worst, if you actually have your data in there. Which we almost all will one way or another in a couple of years.
 
Exactly. And at least we know about it. Unlike data breaches at Nieman, and Target, and....and...and...and...

How many data breaches did private insurance companies and health care companies suffer each in the same period? No one knows.

Exactly, at least we know about what they only told us about. Oh, wait..........
 
Surprised? The government generally fails at most that it does.
It's so large the right hand is clueless what the left hand is doing.
 
Government this and obama that.. Isnt the webiste a contract with a private institution? Isnt the aca mostly passing tax dollars to private insurance? Yeah its soooo goverment control of healthcare.. We are the uk...Omg!!!
 
316 whatevers is irrelevant...could be 7billion, still irrelevant... Did any succeed? How many people and what information? Ala target, home depot?
 
Back
Top