[UPDATE BELOW] For an unknown period of time, anyone who logged onto the New York State health plan website had the ability to download a range of sensitive, private information belonging to other users. The incredible glitch was discovered by Robert Parks, a cofounder of Oyster, after he received an email last Saturday notifying him that he had a message from the New York State of Health website. In an essay for Medium, Parks explains that when he logged onto the website to access his message, he realized that the method used to distribute it could enable anyone logged in to randomly access other users' messages. Let Parks explain:
After fumbling my way through their login process and eventually to my message inbox, I clicked to view my new message. I expected the message to appear on screen, but instead a pdf was downloaded. A pdf titled “Template012.pdf.” A strange way to implement an messaging system; I figure the pdfs are intended to be printed out an mailed and the message inbox just links to the electronic copy of the file on some file server. I recently implemented file uploading and downloading on my website, so I got curious about their implementation.
Within about 30 seconds I discovered that I, or any logged in user, could download any message regardless of the intended recipient. That was quite worrisome considering that the messages all contain names, addresses, and account numbers, and depending on the type of message it could contain household member names and account numbers, income information, and health insurance selections.
Parks held off on publicizing the gaffe until after he informed CSC, the company that made the site, and saw to it that it was fixed. But as he points out, "the worst part is that we have no idea if this happened, and based on the lack of basic security implementation I seriously doubt that CSC has the logs to determine if such an attack took place."
The press office at the New York State Health Department tells us they are looking into the matter, but did not comment further.
Parks is far from the first user to be frustrated by the New York health care website. One extremely dissatisfied user has gone through the trouble of creating a helpful spreadsheet guide for anyone feeling flummoxed by the website's chunkiness and overwhelming array of options. Check it out here; open enrollment ends January 31st.
Update 4:41 p.m.: A health department spokesperson has sent us this statement: "The consumer, who is a NY State of Health (NYSOH) account holder and an information technology professional, notified The NY State Department of Health (DOH) that while he was logged into his own Marketplace account he intentionally changed a document identifier in order to see if he could access standard notices that did not belong to him. Based on our investigation this consumer accessed five notices that were not related to his account. These notices do not contain social security numbers or dates of birth. Actions were immediately taken to prevent other account holders who might attempt this type of intentional activity."