Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

California Implemented Security Controls Over the Web Site and Databases for Its Health Insurance Exchange but Could Improve Protection of Personally Identifiable Information

Issued on  | Posted on  | Report number: A-09-14-03005

Report Materials

Covered California, California's health insurance exchange, implemented security controls over the Web site and databases for its health insurance exchange, but improvements are needed to fully comply with Federal requirements and to increase protection of personally identifiable information (PII).

We reviewed Covered California's information security controls in place as of June 2014. We found that Covered California had implemented security controls, including policies and procedures, to protect PII on its Web site and databases but had not performed a vulnerability scan in accordance with Federal requirements. Also, Covered California's security plan did not meet some of CMS's minimum requirements for protection of marketplace systems, and Covered California did not have secure settings for some user accounts.

We recommended that Covered California implement our detailed recommendations to address the specific findings we identified.

Report Type
Audit
HHS Agencies
Centers for Medicare and Medicaid Services
Issue Areas
-
Target Groups
-
Financial Groups
-

Notice

This report may be subject to section 5274 of the National Defense Authorization Act Fiscal Year 2023, 117 Pub. L. 263.