WASHINGTON — People who have accounts on the enrollment website for President Obama’s signature health care law are being told to change their passwords following an administration-wide review of the government’s vulnerability to the confounding Heartbleed Internet security flaw.
Senior administration officials said there is no indication that the HealthCare.gov site has been compromised and the action is being taken out of an abundance of caution. The government’s Heartbleed review is ongoing, the officials said, and users of other websites may also be told to change their passwords in the coming days, including those with accounts on the popular WhiteHouse.gov petitions page.
The Heartbleed programming flaw has caused major security concerns across the Internet and affected a widely used encryption technology that was designed to protect online accounts. Major Internet services have been working to insulate themselves against the problem and are also recommending that users change their website passwords.
Officials said the administration was prioritizing its analysis of websites with heavy traffic and the most sensitive user information. A message that was posted on the health care website starting Saturday reads: “While there’s no indication that any personal information has ever been at risk, we have taken steps to address Heartbleed issues and reset consumers’ passwords out of an abundance of caution.”
The health care website became a prime target for critics of the Obamacare law last fall when the opening of the insurance enrollment period revealed widespread flaws in the online system. Critics have also raised concerns about potential security vulnerabilities on a site where users input large amounts of personal data.
The website troubles were largely fixed during the second month of enrollment and sign-ups ultimately surpassed initial expectations. Obama announced this week that about 8 million people had enrolled.
The full extent of the damage caused by the Heartbleed is unknown. The security hole exists on a vast number of Web servers and went undetected for more than two years. Although it’s conceivable that the flaw was never discovered by hackers, it’s difficult to tell.