An investigation by the Government Accountability Office (GAO) found security flaws in 3 of 3 state Obamacare exchanges it examined, suggesting similar problems would likely be found at other state-based exchanges.

The GAO released a report on its findings last month but that report did not name the 3 states involved. It took an FOIA filing by the Associated Press to get that information:

Federal investigators found significant cybersecurity weaknesses in the health insurance websites of California, Kentucky and Vermont that could enable hackers to get their hands on sensitive personal information about hundreds of thousands of people, The Associated Press has learned. And some of those flaws have yet to be fixed.

The full GAO reports says investigators found “significant weaknesses” in those three states and spelled out how those weaknesses could be used to compromise accounts and gain access to the systems (though it did not reveal which flaw was found in which state):

One state did not encrypt connections to the authentication servers supporting its system. The MARS-E requires passwords to be encrypted when they are being transmitted across the network. However, the authentication servers we reviewed were configured to accept unencrypted connections. As a result, an attacker on the network could observe the unencrypted transmission to gather usernames and password hashes, which could then be used to compromise those accounts.

One state did not filter uniform resource locator (URL) requests from the Internet through a web application firewall to prevent hostile requests from reaching the marketplace website. NIST Special Publication 800-53 requires the enforcement of access controls through the use of firewalls. However, the state did not fully configure its filtering to block hostile URL requests from the Internet. As a result, hostile URL requests could potentially scan and exploit vulnerabilities of the portal and potentially gain access to remaining systems and databases of the marketplace.

One state did not enforce the use of high-level encryption on its Windows servers. NIST Special Publication 800-53 and MARS-E require that if an agency uses encryption, it must use, at a minimum, a Federal Information Processing Standards 140-2–compliant cryptographic module. However, the state did not configure its Windows Active Directory and Domain Name System servers to require the use of Federal Information Processing Standards–compliant algorithms. As a result, the servers may employ weak encryption for protecting authentication and communication, increasing the risk that an attacker could compromise the confidentiality or integrity of the system.

The GAO also looked at the security of the federal marketplace and over a two year period of time identified 316 security incidents of various types:

cybersecurity

However, the report notes that none of the incidents it identified involved a hacker compromising data but were, “the result of errors such as information being sent to the incorrect recipient.” Despite this, the report finds plenty of holes that could still be exploited:

While CMS has taken steps to secure the data hub, we identified weaknesses in the technical controls protecting the data flowing through the system. Specifically, CMS did not effectively implement or securely configure key security tools and devices to sufficiently protect the users and information on the data hub system from threats to confidentiality, integrity, and availability…

…we identified other security weaknesses in controls related to boundary protection, identification and authentication, authorization, encryption, audit and monitoring, and software updates that limit the effectiveness of the security controls on the data hub and unnecessarily place sensitive information at risk of unauthorized disclosure, modification, or exfiltration.

So while there is no evidence hackers have gained access to American’s private data yet, GAO concludes the data will “likely remain vulnerable until the agency addresses weaknesses” identified in the report.