Associated Press, via New York Times:
WASHINGTON — The government stored sensitive personal information on millions of health insurance customers in a computer system with basic security flaws, according to an official audit that uncovered slipshod practices.
The Obama administration said it acted quickly to fix all the problems identified by the Health and Human Services inspector general’s office. But the episode raises questions about the government’s ability to protect a vast new database at a time when cyberattacks are becoming bolder.
Among the policy mistakes: User sessions were not encrypted, contrary to standard practice on financial websites. “Not doing so is inexcusable for such sensitive data,” said Michelle De Mooy, deputy director for consumer privacy at the Center for Democracy & Technology, an Internet rights group.