At a House hearing on Wednesday, U.S. Secretary of Health Kathleen Sebelius acknowledged security concerns facing Healthcare.gov but said the site had not been hacked.
Until last week, anyone could easily reset Obamacare applicants' passwords and potentially hijack their accounts. The glitch was discovered last week by a software tester in Arizona, and CNNMoney reported the security vulnerability on Tuesday. Health spokeswoman Joanne Peters told CNNMoney that the Department of Health made key changes this week, eliminating the "theoretical vulnerability."
Sebelius rebutted incorrect assertions by Republican Congressmen that the website had been hacked.
"There was not a breach," Sebelius said. "It was a theoretical problem that was immediately fixed."
Though the security hole was never exploited, the problem was quite real -- at least until last week. Anyone who could guess an existing user name and had a basic understanding of how to read a website's code could potentially access someone's account.
Congressman Mike Rogers, R-Mich., also asked Sebelius about the security implications of putting in so many patches and fixes. He said that adding in new computer code exposes the entire system to new risks. He also accused health officials and their many contractors of not performing a system-wide security test, a tech industry standard.
"You did not have the most basic end-to-end test on security in the system" Rogers said. "Amazon ( would never do this." )
When Rogers asked if the federal government would be willing to shut down the Obamacare website until such a test is done, Sebelius said no.
Apparently, red flags on security issues had been raised before. When Rogers questioned Sebelius, he disclosed the existence of a memo in which top health officials warned Sebelius that the Obamacare system didn't complete a necessary security test because of "system readiness issues."
During the hearing, Sebelius spoke at length about the website's many issues, apologized for its shortcomings and promised they would all be resolved by the end of November -- even while most of the site remained down Wednesday morning.