The security of the US health insurance website has been put at risk due to a lack of testing before the rushed launch in early October.
According to a government memorandum reviewed by Reuters this week, sensitive data, such as Social Security numbers, email addresses, phone numbers and birth dates of users could have been easily accessed by hackers as the rushed launch of the scheme forced the contractors to cut corners.
"From a security perspective, the aspects of the system that were not tested due to the on-going development exposed a level of uncertainty that can be deemed as a high risk," said the memo from Department of Health and Human Services officials James Kerry and Henry Chao.
However, a government spokeswoman said on Wednesday that steps to mitigate security concerns have been implemented since the memo was written on 27 September and that consumer data is secure.
The memo recommended the creation of a dedicated security team, weekly testing of servers, daily scans and a full security assessment within 60 to 90 days of launch. It provided for a temporary, six-month authority to operate the system.
According to the document, the recommendation was approved by Marilyn Tavenner, administrator of the Centers for Medicare and Medicaid Services, the lead agency at HHS managing the 2010 Affordable Care Act, commonly called Obamacare.
The memo came up during a US House of Representatives hearing on Wednesday to question HHS Secretary Kathleen Sebelius about technical problems that have stalled access to the website for millions of consumers. Sebelius confirmed its main points and said the plan to ensure security was underway.
Yet HHS spokeswoman Joanne Peters said that during the interim the public need not worry about the security of data entered on the site, which helps them identify and enrol in health insurance plans.
"When consumers fill out their online Marketplace applications, they can trust that the information they're providing is protected by stringent security standards and that the technology underlying the application process has been tested and is secure," she said.
Meanwhile, Connecticut's state-run online exchange disclosed on Wednesday that it had experienced five attempted cyber-attacks, including two from a foreign country.