Thursday, January 23, 2014

Opportunistic Marketers Exploit Opening at Healthcare.gov

    At least three marketers of health-related or insurance products and services have taken advantage of the "data-set" feature at Healthcare.gov to give themselves a virtual presence on the federal government's Obamacare site.  The ability to use a web address containing "healthcare.gov" may lend credibility and even imply endorsement by the government.  An informational website about schizophrenia called Schiz Life and a company hawking an anti-wrinkle skin product called Vivexin have both used the "profile" feature of data.healthcare.gov to introduce users to their services and products, as well as direct users to their respective websites.  A third profile even offers "universal life insurance" from No Exam Insurers.
    Here is an example of one of the profiles in question:

    The information is presented in a rather clinical fashion, but all the profiles contain links further down on the pages that direct users to websites where more information is given and, in some cases, products can be ordered.  There is no disclaimer anywhere on the profile pages that the information presented is not endorsed by Healthcare.gov, nor is there the customary warning found on many government websites that the pages contain "an external link that is not the responsibility of, or under the control of" the federal government.  
    The addresses of all three profile pages begin with "https://", which indicates a secure browser connection, providing further reassurance that the pages are a legitimate offering of the Obamacare site.  The "https://" is followed by "data.healthcare.gov", which is the domain also used for legitimate and intended purposes by the site's administrator and other registered users.  Thus, anyone could set up a similar profile (conceivably with more malicious purposes than these three sites appear to have) and proceed to advertise their data.healthcare.gov link on another website or in an email.  The Healthcare.gov address could easily influence the uninformed to believe that they are accessing government-sponsored webpages, leaving them wide open to "phishing" attacks where identity thieves extract personal and financial information from the unsuspecting.
    The three profiles described above appear to violate the terms of service of data.healthcare.gov which prohibits "Unsolicited promotions, political campaigning, advertising or solicitations."  However, at least one of the profiles has been around for weeks, possibly longer.  Also, there is evidence that a fourth profile promoting an anxiety-reducing and/or weight-loss product has been directly linked to by external websites.
    The "data-set" feature of Healthcare.gov was established to allow users to sort and present the health insurance plans and data used by the site in various ways that might be helpful to those looking for a plan or those researching trends and patterns in the health insurance marketplace.  The site provides details of the different ways the data can be manipulated and even published.  There are a number of apparently legitimate users who have established profiles and created their own data sets.  The profiles even include social-media-type features such as photos and "followers."  But as is the case everywhere on the internet, without adequate safeguards and monitoring, there are always those who will subvert the intended purpose of a given website if given an opening.  As the cost of Healthcare.gov approaches half a billion dollars, it is clear more money is not always the answer.  When it comes to earning the trust of the public, Healthcare.gov obviously has more work to do.

Note: A version of this post first appeared at The Weekly Standard.

No comments:

Post a Comment