But he quickly added, "that's not an attempt to excuse anything — it's more a sad statement on the state of security across the breadth of sites."
And obviously most sites are not nearly as attractive to cyber attackers as one with connections to other government agencies — like the Internal Revenue Service (IRS) — with information on every citizen in the country.
Kennedy, who testified before the House Science and Technology Committee in January that serious security flaws remain on the site, said the statement from HHS is, "the default response they've sent all media requests."
But he said it is apparent when any website goes live, "whether or not security was integrated or even a thought in the development process." And he said the reality of Healthcare.gov is that, "unfortunately, when the site was released it had a number of flaws on the site and didn't have much when it came to security. We had documented a number of them and also contacted HHS to let them know of the exposures."
Other security experts agree that security was not a priority in the development of the site. "The evidence provided so far would indicate that the project was rushed to completion to meet a deadline after what I suspect could only be ineffective development," Wellstar's Fisher said.
Other experts who submitted written testimony to the January congressional hearing included Kevin Mitnick, known once as "the world's most wanted hacker," who is now CEO of Mitnick Security Consulting. "It's clear that the management team did not consider security as a priority," he wrote, noting that the danger of a breach involves much more than the site itself, since it retrieves information from other government agencies including the IRS, Social Security Administration, Department of Homeland Security, and various state agencies.
"It would be a hacker's wet dream to break into Healthcare.gov and potentially gain access to the information stored in these databases," he wrote, calling the lack of security "shameful."
Kevin Johnson, CEO of Secure Ideas, also submitted testimony that the site displays, "not only a basic lack of security testing...[but also] has been written by developers who have not been introduced to basic security training, nor understand the importance of security within an application."
Still, if the site is that vulnerable, with such a trove of valuable personal information that covers every citizen of the country, why hasn't there been a successful attack so far?
Kennedy and others say a successful attack may indeed have occurred, and that HHS either doesn't know or simply is not telling. "The federal government has no legal liability to disclose if a breach has occurred," he said, adding that after the site launched, there was testimony before Congress from contractors that showed, the agency, "didn't have the ability to detect if the site had been compromised or not."
Sign up for CIO Asia eNewsletters.