Stop IT Incompetence masthead.
Stop IT Incompetence motto.

Expert News Article tab.

Experian hacked Sep 2013 - Sep 2015; HealthCare.gov hacked Oct 2013 - Sep 2015.

HealthCare.gov Hacked



By Duane Thresher, Ph.D.          July 25, 2020

HealthCare.gov, the Obamacare website, was launched in October 2013. Its launch was universally considered a monumental disaster and this was largely due to the IT incompetence of the website's foreign (Canadian) developers. There had been great concern HealthCare.gov would be hacked. When that didn't happen immediately it was taken as proof that its IT was secure. However, absence of evidence is not evidence of absence. Most hackers want to steal sensitive data, particularly identity data, undetected, and go to a lot of trouble for the undetected part, since it means they can continue to steal data, which is constantly updated, for years. Data breaches are thus often not discovered, and made public, until years later, if ever. In early March 2020, I made the shocking discovery, reported nowhere else, that HealthCare.gov, via Experian, had been hacked from its launch in October 2013 until September 2015, i.e. for 2 years.

I was at the HealthCare.gov launch, unfortunately (like me living in Manhattan on 9/11). I was running my own business and needed to get my family health insurance. Getting health insurance at HealthCare.gov then could only be described as a multi-night nightmare; literally full frustrating work days in front of the computer, trying, repeatedly and unsuccessfully, to apply through the IT incompetent HealthCare.gov website.

A big part of the problem was that HealthCare.gov used Experian for the required identity verification (a.k.a. authentication) — you couldn't get health insurance until you got through that. Experian is one of the major credit reporting agencies, like Equifax. To squeeze even more money from the personal data for credit ratings they have gathered without permission, Experian also offers an identity verification service. Experian pretends that it has identity verification data on all Americans — so its service will not fail most of the time — but that is total nonsense. Many Americans have no credit rating because they pay all their bills on time, don't have any loans, and don't have credit cards.

If Experian had no identity verification data on you, like it didn't for millions of Americans, you had to mail in paper copies of all your ID to them before you could get health insurance on HealthCare.gov.

Experian admitted on 1 October 2015 to a data breach lasting over two years — from 1 September 2013 to 16 September 2015 — that exposed to hackers the private information of anyone who used its services, including its identity verification service. HealthCare.gov, which as described used Experian for identity verification, was launched in October 2013, after Experian had been hacked. So HealthCare.gov was hacked too, and for two years (at least).

Experian admits at least 15 million people were victims, but this may not include the far greater millions who used HealthCare.gov. HealthCare.gov never made this data breach public. Why would they? HealthCare.gov has always been on very shaky ground and under attack and a disclosure like this could, rightfully, end them. And if HealthCare.gov wouldn't admit the data breach, why would Experian admit that its data breach was far worse than the 15 million people it did admit to? Neither organization cares about anything but their own continued existence and massive profits. They certainly don't care about the millions of people they've hurt, their identities stolen.

All data breaches are caused by IT incompetence and the most important IT credential is a good IT education.

John Finch was Experian's Global CIO, "Leader of Experian's Global Cyber Security Operation", from September 2011 to August 2013. Experian said, over two years later, that the data breach began 1 September 2013 (it might have been earlier given that first of the month date, which also might have been chosen to fall between Finch's and his successor's tenures, to avoid anyone having to take responsibility). While Finch's successor took over in September 2013, the IT incompetent insecure conditions that let in the hacker(s) were in place before September 2013, and were thus Finch's fault.

John Finch has no IT education, only a BS in business economics (from the low-ranked University of Hull; Finch is British). He is a complete IT incompetent. After his disastrous stint at Experian, Finch became the CIO for the Bank of England. He spent only another couple of years there before fleeing again to Thomson Reuters, the giant media conglomerate and owner of the news organization Reuters. Finch seemed to run from job to job quickly so they would not have time to discover he was IT incompetent, much like Alex Stamos; see Yahoo-Then-Facebook CISO Alex Stamos Allows Yet Another Massive Data Breach. Finch is now a private "advisor".

In early March 2020, I made the discovery that HealthCare.gov had been hacked via Experian when I tried using the Virginia State Corporation Commission's new website and discovered to my horror that they use Experian for identity verification. So I did some research into Experian identity verification, which is no better now than it was in late 2013, and made the discovery. I continue to deal with the Virginia State Corporation Commission using only mailed-in paper.

I pointed all this out to the Virginia State Corporation Commission, but they were not interested, especially since they were already having huge problems with their new IT incompetent website (sound familiar?). Maybe they'll be interested when ownership of some of the major corporations registered in Virginia starts being stolen by hackers.