Posted on 10/22/2013 9:19:14 PM PDT by InsidiousMongo
A flaw in the security for the healthcare.gov website discloses the pricing pre-subsidized and divulges personal info of any and all navigators.
Please note that these databases contain an export button so you can save it to your own PC. This is a serious flaw.
Personal Info Breach Link:
https://data.healthcare.gov/dataset/Navigators/qyne-xyvd
Pricing Info:
https://data.healthcare.gov/dataset/QHP-Individual-Medical-Landscape/ba45-xusy
It’s not valuable for a expose’.
Thanks Laz. How would you rate it? Kindergarten coding, standard, high-class, etc? Or can you even rate it?
I'm in Federal contracting and I didn't see anything that would violate Fed standards (at least at the first link). No PII was out there. PII is Personally Identifying Information. Simple phone numbers and addresses, without a name of an individual, is not PII. This is not a back door, that I can tell, either.
truth is that they have no idea what they have there. There are probably so many back-doors in this system that it will become a test subject on how not to do a secure website. It was never really live or beta tested so they had no idea what would happen once the switch was flipped.
I’m assume this is the proverbial horse turned giraffe.
It doesn’t rate. This is instructions to a coder how to send information to the API (Application Portal Interface). Not a violation, and no big deal.
Ease off the alarm, folks. I’m in the field; I see nothing to flip out about (so far). There’s probably plenty of real problems, no point in wasting outrage on nothing.
;)
This is normal coding and application activity -- unless somehow I'm missing something. I will circle around back later and double-check it.
In the meantime, I will ask Admin to take this down off of Breaking News (but not to delete the thread).
LOL!
Oh yeah...just leave it alone and get the popcorn!
Sure there's no security for looking up plans, but why should there be? I just downloaded all the data for Virginia, roughly 1000 plans, into a JSON file. Perfect format and informative. Why should it be restricted?
{
"premium_child" : "143.64",
"state" : "VA",
"rating_area" : "Rating Area 8",
"premium_family" : "800.76",
"premium_couple" : "578.16",
"premium_older_single" : "403.99",
"premium_single_parent_family" : "544.02",
"display" : "Yes",
"plan_marketing_name" : "Anthem HealthKeepers Silver DirectAccess - cbfs",
"issuer" : "Anthem Blue Cross and Blue Shield",
"county" : "CRAIG",
"metal_level" : "Silver",
"premium_single" : "237.06",
"plan_type" : "HMO"
}
Didn’t you have to get a key to do so? Or were you doing this outside of the API (some kind of site scraping or an export function on the site)? I am only asking, because I wanted to do something similar, but have absolutely no intention of applying for a key.
I agree that there isn’t anything wrong here. The API actually looked better than most (many APIs look like they are written by people who want to say that they have an API, but don’t want people to actually use it).
Agreed. Thusly why I was trying to calm the FR folks....
No PII was being exposed... no loss, no foul.
Could you put me on the Nevermind Ping List?
Ummm....it’s supposed to be public
https://www.healthcare.gov/health-plan-information/
I even downloaded the spreadsheet
I don’t really even see the need for https, since this is all publicly available information.
No key, no application, no signup, no nothing. But it is essentially public info so I don’t see a problem.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.