The folks who run the Washington Healthplanfinder online exchange heard about several consumers who said that when they needed a new password from the website, the password was emailed to them in plain text — making it relatively easy to viewed by anyone intercepting the e-mail. They were concerned about the security of that practice.
I checked with Curt Kwak, chief information officer of the Washington Health Benefits Exchange, which operates the site, regarding their password policies.
Kwak acknowledged that that was, indeed, the practice. “We do realize that sending passwords over email is not a good practice, but our system design has been reviewed by CMS [Centers for Medicare and Medicaid Services] and fully tested and validated by two independent QA [quality assurance],” Kwak said. “Plus, please note the comprehensive nature of our login process that mitigates much of the risk.”
Specifically, Kwak notes that although the password was emailed to the user, the user’s ID was not included in the email. “The password alone is not enough for a user to log in,” Kwak said. “They need to go through a number of steps to login.”
Still, the exchange has in the past week changed the procedure. According to Kwak, now it is only a temporary password that is emailed to the user, and the user is forced to change the password upon login.