Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it's official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you're on a federal government site.


The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Public Summary Report: New York Implemented Security Controls Over Its Health Insurance Exchange Web Site and Database but Could Improve Security Controls

This summary report provides an overview of the results of our audit of the information security controls at New York's health insurance exchange, New York State of Health (New York marketplace). It does not include specific details of the vulnerabilities that we identified because of the sensitive nature of the information. We have provided more detailed information and recommendations to the New York marketplace so that it can address the issues we identified. The findings listed in this summary report reflect a point in time regarding system security and may have changed since we reviewed these systems.

Although we did not identify evidence that the vulnerabilities in the New York marketplace's Web site had been exploited, exploitation could have resulted in unauthorized access to and disclosure of personally identifiable information (PII), as well as disruption of critical marketplace operations. As a result, the vulnerabilities were collectively and, in some cases, individually significant and could have potentially compromised the confidentiality, integrity, and availability of the marketplace. In addition, without proper safeguards, systems were not protected from individuals and groups with malicious intent to obtain access in order to commit fraud, waste, or abuse or launch attacks against other computer systems and networks.

We recommended that the New York marketplace improve the protection of PII on its Web site in accordance with Federal requirements by adequately securing its Web site. Because of the sensitive nature of our findings, we have not listed the detailed findings in this summary report.

In written comments on our draft report, the New York marketplace did not indicate concurrence or nonconcurrence with our recommendation or the specific vulnerabilities identified.

Filed under: Centers for Medicare and Medicaid Services