UPDATE x4: Who Can Spot the Problem with this news story??

This AP Newswire story was published by Tampa Bay/Sarasota station WTSP at 5:23pm yesterday, September 24, 2015:

"Critical" flaw found in HealthCare.gov security

WASHINGTON -- The government's own watchdogs tried to hack into HealthCare.gov earlier this year and found what they termed a critical vulnerability - but also came away with respect for some of the health insurance site's security features.

Those are among the conclusions of a report released Tuesday by the Health and Human Services Department inspector general, who focuses on health care fraud.

The report amounts to a mixed review for the federal website that serves as the portal to taxpayer-subsidized health plans for millions of Americans. Open enrollment season starts Nov. 15.

So-called "white hat" or ethical hackers from the inspector general's office found a weakness, but when they attempted to exploit it like a malicious hacker would, they were blocked by the system's defenses.

It's the second independent security assessment in as many weeks to find problems, and it comes on the heels of the massive breach at Home Depot stores,which affected 56 million credit and debit cards.

The public version of the report is a condensed, heavily edited summary of detailed findings delivered to the Obama administration.

Yikes! That's definitely a serious issue which needs to be addressed ASAP, right?

Well...you know, except for the part where the actual article specifically states that "when they attempted to exploit it like a malicious hacker would, they were blocked by the system's defenses."

So...you know, not quite so "critical" after all, I guess.

However, there's one other little problem. You might note that there appears to be a typo in the third paragraph, which lists the start of Open Enrollment as November 15, when in fact it's actually November 1st; the HHS Dept. moved the start date up two weeks this year.

Here's the problem: That's no typo. Or, more accurately the entire article is a typo.

Here's what I mean...check out this AP Newswire article from September 23, 2014...exactly 1 year and one day earlier:

Obamacare website plagued by ‘critical' flaw, inspector general finds 

The government's own watchdogs tried to hack into HealthCare.gov earlier this year and found what they termed a critical vulnerability - but also came away with respect for some of the health insurance site's security features.

Those are among the conclusions of a report being released Tuesday by the Health and Human Services Department inspector general, who focuses on health care fraud.

The report amounts to a mixed review for the federal website that serves as the portal to taxpayer-subsidized health plans for millions of Americans. Open enrollment season starts Nov. 15.

So-called "white hat" or ethical hackers from the inspector general's office found a weakness, but when they attempted to exploit it like a malicious hacker would, they were blocked by the system's defenses.

It's the second independent security assessment in as many weeks to find problems, and it comes on the heels of the massive breach at Home Depot stores, which affected 56 million credit and debit cards.

The public version of the report is a condensed, heavily edited summary of detailed findings delivered to the Obama administration.

Yep. The AP reposted the exact same story a full year later.

The "2015 version" is still posted as of 12:10am Friday. Here's the screen shot if you doubt me:

On the one hand, I'm assuming this was an honest mistake which will soon be corrected.

On the other hand, it's been over 6 hours and the story is still posted on at least one Tampa Bay/Sarasota, Florida newspaper website (and possibly their print edition as well?), just 5 weeks before the Open Enrollment period starts again. In addition, of course, no one who's read the "2015 version" has any idea that this refers to a year-old technical issue which was fixed nearly a year ago.

UPDATE: Thanks to the L.A. Times' Michael Hiltzik for reminding me that not only did the AP post this exact article a year ago, I even wrote about it back then!

No wonder it seemed so familiar to me when I read it this evening!

UPDATE x2: A reader has noted that re-posting the story yesterday appears to be a screw-up by the local news station only (WTSP, Tampa Bay/Sarasota), not by the AP itself...it looks like WTSP simply re-published the story from the AP archives. 

Of course, this doesn't change the fact that the "Critical Flaw" headline was still BS in the first place.

Also, WTSP still has the article posted as of 8:40am Friday morning.

Title updated to reflect clarification.

UPDATE x3: Oh for heaven's sake. It turns out there really is a different, new AP story regarding other security issues at Healthcare.Gov**..although, once again, according to the CMS division, those issues have already been resolved:

The government stored sensitive personal information on millions of health insurance customers in a computer system with basic security flaws, according to an official audit that uncovered slipshod practices.

The Obama administration said it acted quickly to fix all the problems identified by the Health and Human Services inspector general's office. But the episode raises questions about the government's ability to protect a vast new database at a time when cyberattacks are becoming bolder.

...The flaws uncovered by auditors included issues of security policy — where mistakes can have bigger consequences — as well as 135 database vulnerabilities, of which nearly two dozen were classified as potentially severe or catastrophic.

Among the policy mistakes: User sessions were not encrypted, contrary to standard practice on financial websites. "Not doing so is inexcusable for such sensitive data," said Michelle De Mooy, deputy director for consumer privacy at the Center for Democracy & Technology, an Internet rights group.

...In a written response to the audit, Medicare administrator Andy Slavitt said that "the privacy and security of consumers' personally identifiable information are a top priority" for his agency. Slavitt said all of the high vulnerabilities were addressed within a week of being identified, and that all of the IG's recommendations have been fully implemented.

The Medicare agency is conducting weekly vulnerability assessments of MIDAS, and an annual security review, Slavitt said.

Thanks to Matthew Martin in the comments for the link. As he suggested, it sounds like what might have happened is that someone at WTSP probably heard something about an AP story about HC.gov security issues, pulled up the year-old story and ran that by mistake.

If so, that would rule out it being intentional...but it's still a pretty bad mistake which should be corrected. As of 9:30am, it still hasn't been...

**UPDATE x4: HOLD EVERYTHING. SEE FOLLOW-UP STORY.

Advertisement