A Government Accountability Office (GAO) examination of the state-run health insurance exchanges for California, Kentucky and Vermont identified inadequate security measures in place to protect consumers’ personal information. While state officials from Kentucky and California denied that any security breaches had occurred or that any personal data had been compromised as a result of the security weaknesses, state officials acknowledged that several of the flaws have not yet been remedied. Accordingly, the GAO has recommended that the federal government monitor cybersecurity measures on the state-run sites on an ongoing basis.

The GAO examination, which covered the time period from October 2013 to March 2015, identified several basic security flaws in the systems, including the failure to encrypt passwords, to use filters to block hostile access attempts and to use proper encryption on servers. The GAO report did not specify which state websites suffered from each problem.

Although state officials were notified of the GAO findings in September 2015, responses by state officials from California and Kentucky made clear that not all of the problems had yet been addressed. Officials from Vermont declined to respond to the findings. Due to expenses, Kentucky is in the process of dismantling its state-run exchange and will be transferring to the federal exchange, Healthcare.gov, later this year.