My health insurance company is sending passwords in plaintext, what todo?

11 points by mangoTangoBango 4 years ago | 8 comments

I got this message: Username: someUserName Password: somePassword Sorry for the long wait on this. Thank you!

This is from a plan that I bought off the Federal Exchange.

twunde 4 years ago |

Strictly speaking, having passwords in plaintext is legal but not secure since the HIPAA Security Rule is about protecting PHI. It's also possible that the passwords in their system aren't in plaintext, but customer service has to change the password and they need some way to send you the password. It sucks.

So how do get the company to change this? Your best bet is to contact the executive(s) in charge of compliance and security about this (you'll likely need to do some Googling and/or LinkedIn stalking).

The argument that you want to present to them is that the HIPAA Security Rule requires that a covered entity `Identify and protect against reasonably anticipated threats to the security or integrity of the information` and that in this day and age having passwords in plain text is a reasonably anticipated threat.

Reference: https://www.hhs.gov/hipaa/for-professionals/security/laws-re...

pedalpete 4 years ago |

First off I'd go into my health insurance portal and change my password. Then use the forgot password, and see if they are still mailing your password in plain text. Do a bit of investigation to confirm that all passwords are still stored in plain text.

Once you can confirm that your password is sent in plain text, I'd contact the insurer to make sure they are aware of the security implications.

If you've read Troy Hunt at all, take a book out of his practice. They probably won't make any change, or understand, but you've tried to help.

Then, change insurance companies if you fear your data is at risk, which it probably is.

blackclub2 4 years ago |

Seems like we neeed more context? If you simply forget your password often, you can utilize password managers like LastPass or C2 Password to help to memorize credentials

hedora 4 years ago |

If it's a new account, no big deal. Just reset the password. If someone MITMed the email, and hijacked the account, then call customer service.

Otherwise, no harm, no foul?

(Hopefully it will force a reset on first login, and reject the emailed password...)

willcipriano 4 years ago |

Needs more context, that sounds like a human sent that email. Did you request something out of the ordinary to cause a human to be involved in account sign up? When you login, are you promoted to change the password?

armendhammer 4 years ago |

Could the FCC get involved in this or would that be the wrong agency to contact?

jazzyjackson 4 years ago |

Unless your credit card info is also plaintext, I don't think it is a law or anything, no?

And this is a password you set? old systems would email you a new password to log in & change it, vs a one time use link nowadays.

bin_bash 4 years ago |

just don't use that password anywhere else