Obamacare Site Tells Users to Change Passwords, Because Heartbleed Sucks, A Lot
Uh-oh: what is widely considered the biggest and most threatening flaw the web has ever seen may not just have impacted your Google and Facebook accounts, it could also be affecting Obamacare now, too. On Saturday, the administration urged users to change their passwords on Healthcare.gov because of the Heartbleed bug — although only as a "precaution," they emphasized. Which probably means you should get a new password, and soon.
The Heartbleed bug — a gaping flaw in the online security software OpenSSL, discovered earlier this month — essentially puts all of your personal information at risk, including passwords, banking information and emails. Because the software is pretty much the most popular encryption software available, it's used by all your trusted internet favorites, including Facebook, Google and Amazon — all of which, it turns out, haven't actually been able to protect your data.
Although the administration is maintaining that there's no reason to think the insurance website has, in fact, been affected by Heartbleed, a review of the Healthcare.gov is still ongoing and — just to be absolutely sure that all the stored data is safe — login information must now be updated. Reads the message on Healthcare.gov Saturday:
HealthCare.gov uses many layers of protections to secure your information. While there's no indication that any personal information has ever been at risk, we have taken steps to address Heartbleed issues and reset consumers' passwords out of an abundance of caution. This means the next time you visit the website, you'll need to create a new password. We strongly recommend you create a unique password – not one that you've already used on other websites.
As might be expected, certain members of Congress have made use of this announcement as fodder to once again attack Obamacare. “Even though IT experts asked HHS to include provisions in their final rules that would require the federal government to notify someone if their personal information has been breached, they declined to do so,” Rep. Diane Black (R-Tenn.) said in a statement. “This astonishing failure leaves millions of Americans vulnerable to cyber threats and identity theft, and the news today that users are being asked to change their passwords speaks volumes to the websites continued vulnerability.”
Officials have also indicated that mandated updating of login information may not just be limited to Healthcare.gov — other government websites (like those on the WhiteHouse.gov petitions page) may be asking for the same thing over the next few days. The irony of these notices can't be ignored — just last week, it was revealed (unsurprisingly) that the National Security Agency knew about (and even utilized) the Heartbleed bug to collect intelligence over the last two years. So, uh, whoops?