The web portal used by millions of consumers to get health insurance under President Barack Obama's law has logged more than 300 cybersecurity incidents and remains vulnerable to hackers, nonpartisan congressional investigators said Wednesday.
The Government Accountability Office said none of the 316 security incidents appeared to have led to the release of sensitive data on HealthCare.gov, such as names, birth dates, addresses, Social Security numbers, financial information, or other personal information.
Most of the incidents over nearly 18 months seemed to have involved electronic probing by hackers. HealthCare.gov offers subsidized private health insurance for people who don't have access to workplace coverage.
Although GAO said the administration is making progress, its report concluded that security flaws "will likely continue to jeopardize the confidentiality, integrity and availability of HealthCare.gov."
Investigators identified weaknesses protecting sensitive information that flows through a key part of the system, called the data services hub. Operating behind the scenes, the hub pings federal agencies such as Social Security, IRS and Homeland Security to verify the personal details of consumers.
The report also found "significant weaknesses" in health insurance sites operated by states, which connect to the data hub. Currently, 12 states and Washington, D.C., run their own websites.
Federal computer systems - from the Defense Department to the White House - are frequent targets for hackers. The HealthCare.gov incidents took place between October 2013 and March 2015.
HealthCare.gov's data hub is one of the administration's major technology projects, and has generally been regarded as successful. Even as the consumer-facing part of the system crashed during the botched rollout of the health care law in 2013, the hub continued to operate smoothly.
However, GAO said it found shortcomings, including insufficiently tight restrictions on "administrator privileges" that allow a user broad access throughout the system, inconsistent use of security fixes, and an administrative network that was not properly secured.
Overall, 41 of the security incidents involved personal information that was either not properly secured or was exposed to someone who wasn't authorized to see it. Nearly all of those were classified as having a moderately serious impact.
In another type of incident, a list of government-employee account IDs, including passwords, was transmitted to staffers in an unencrypted email. That prompted a crash effort to create new passwords.
The report was released by Republican committee chairmen in the House and Senate on the sixth anniversary of the Affordable Care Act, even as the administration was talking up the achievements of the law, which has extended coverage to millions previously uninsured. Lawmakers asked the administration for more detail on security issues.
In a formal response to GAO, the Health and Human Services department said the security and privacy of consumer data is a top priority. The administration accepted the agency's recommendations for improvements.
Separately, GAO said it also submitted 27 cybersecurity recommendations in a report that isn't being made public due to its sensitive nature.
Catch the latest from the Consumer Electronics Show on Gadgets 360, at our CES 2026 hub.