Skip Navigation
United States Flag

An official website of the United States government. Here's how you know >

U.S. Flag An official website of the United States government.
Change Font Size

Public Summary Report: Connect for Health Colorado Generally Protected Personally Identifiable Information on Its Health Insurance Exchange Web Sites and Databases but Could Continue To Improve Information Security Controls

Connect for Health Colorado (C4HCO), Colorado's health insurance exchange, implemented security controls over its Web sites and databases, but improvements are still needed to fully comply with Federal requirements and to increase protection of personally identifiable information (PII).

We reviewed C4HCO's information security controls in place as of November 2014. We found that C4HCO had not updated the system security plan's supporting policies or ensured that vulnerabilities identified during prior scans were mitigated in a timely manner. Additionally, our database security scans identified numerous weaknesses regarding user access administration and inadequate security settings. Moreover, C4HCO had not performed incident response testing. In written comments on our draft report, C4HCO concurred with our detailed recommendations and described corrective actions that it had taken or planned to take.

Before issuing our draft report, we shared information with C4HCO officials on the vulnerabilities we had identified and on our preliminary findings. C4HCO, working in conjunction with its systems integrator, began remediation efforts before we completed our fieldwork. After we issued our final report but before we published this public summary, C4HCO gave us evidence to support its remediation efforts. Based on the evidence provided, C4HCO has successfully remediated the issues we found related to the system security plan and incident response testing and has partially remediated the issues we found related to the application production databases and vulnerability mitigation.

Copies can also be obtained by contacting the Office of Public Affairs at Public.Affairs@oig.hhs.gov.

Download the complete report.

Office of Inspector General, U.S. Department of Health and Human Services | 330 Independence Avenue, SW, Washington, DC 20201