YES, you'll need to reset your HC.gov password. NO, this is no reason to freak out.
This naturally raised the question of whether the main Federal exchange website, Healthcare.gov, was also vulnerable. I checked the site the day that the Heartbleed story went public last Wednesday and it did not show up as being vulnerable. In addition, on that same day Mashable reported that HC.gov was NOT one of the major sites impacted by the bug.
However, just to be certain (and because, frankly, it's a good idea to reset your password every six months or so anyway), the HHS Dept. has taken the precaution of doing a batch password reset for every account on the site:
Washington (CNN) - A cybersecurity scare is forcing Obamacare enrollees who used the HealthCare.gov site to sign up for an insurance plan to now change their passwords.
The Obama administration says that although there is no immediate threat to users, all enrollees have had their password reset and now must create a new password.
...The site has already reset users’ accounts. Now, when they sign in, they will be prompted to create a new, unique password. The site includes a step-by-step process on how to do so and provides a hotline for any users who experience difficulty.
As a website developer and system administer myself, who spent the good part of 2 days patching and then resetting my own servers and client accounts a week and a half ago, I can tell you that while the Heartbleed bug itself is definitely serious, there is absolutley nothing wrong with the administration doing what they've done, and in fact it's exactly what they should do under the circumstances.
To reiterate: They're pretty sure there was no vulnerability, but as a precaution they've already reset everyone's passwords. The only reason you need to reset yours is to allow you back into the system, not because someone else can get in.
OpenSSL is an encryption system which is used in something like half to 2/3 of the web servers around the world. Most of the largest and most technologically sophisticated companies around either were vulnerable (or may have been) to the Heartbleed bug and had to patch their own servers and issue password reset notices, either due to a known vulnerability or just as a precaution, including Facebook, Instagram, Pinterest, Tumblr, Google, Yahoo, Etsy, GoDaddy, Flickr, Netflix, Dropbox and WordPress.
While it's certainly worth taking seriously, no matter what FOX News says (and you just know they're gonna try to run with this), there is no reason to freak out about Healthcare.gov.
So, the next time you go to HC.gov and are told that you need to reset your password, just go ahead and follow the instructions. It should take all of 60 seconds including the confirmation response, and you should be good to go. For that matter, now that open enrollment is over, I suspect that most people won't even bother logging back into their accounts until/unless they have a major life change, some confirmation issue or until the 2nd open enrollment period opens this November.
So, what about the 15 state-run exchanges?
- California: ALL GOOD (either patched or never vulnerable)
- Colorado: ALL GOOD (either patched or never vulnerable)
- Connecticut: ALL GOOD (either patched or never vulnerable)
- District of Columbia: ALL GOOD (either patched or never vulnerable)
- Hawaii: (see above...ALL GOOD now, but do reset your password)
- Kentucky: ALL GOOD (either patched or never vulnerable)
- Maryland: UNSURE (connection refused)
- Massachusetts: ALL GOOD (either patched or never vulnerable)
- Minnesota: ALL GOOD (either patched or never vulnerable)
- Nevada: UNSURE (connection refused)
- New York: ALL GOOD (either patched or never vulnerable)
- Oregon: ALL GOOD (either patched or never vulnerable)
- Rhode Island: UNSURE (connection refused)
- Vermont: UNSURE (connection refused)
- Washington: ALL GOOD (either patched or never vulnerable)
IMPORTANT: The ones noted "ALL GOOD" simply means that those exchange websites are secure now. It's still possible that one or more of them were vulnerable at some point in the past, so it's still a good idea to reset your passwords on those sites as well. I'd advise contacting the exchange directly if you have any questions or concerns about this issue.
As for the Maryland, Nevada, Rhode Island and Vermont exchanges, the fact that the connection was refused when I ran the test does not mean that they're vulnerable, it simply means that for one reason or another the Heartbleed test wasn't able to connect to those servers or had some other issue when attempting to do so. Again, I would strongly advise contacting those exchanges directly to confirm whether they're vulnerable or not, and whether you need to reset your passwords there as well.
One other thing: When you do reset your password, for the love of God do not make it something insanely obvious like any of these.