My health insurance company is sending passwords in plaintext, what todo?

11 pointsmangoTangoBango4y ago8 comments

I got this message: Username: someUserName Password: somePassword Sorry for the long wait on this. Thank you!

This is from a plan that I bought off the Federal Exchange.

8 comments

Strictly speaking, having passwords in plaintext is legal but not secure since the HIPAA Security Rule is about protecting PHI. It's also possible that the passwords in their system aren't in plaintext, but customer service has to change the password and they need some way to send you the password. It sucks.

So how do get the company to change this? Your best bet is to contact the executive(s) in charge of compliance and security about this (you'll likely need to do some Googling and/or LinkedIn stalking).

The argument that you want to present to them is that the HIPAA Security Rule requires that a covered entity `Identify and protect against reasonably anticipated threats to the security or integrity of the information` and that in this day and age having passwords in plain text is a reasonably anticipated threat.

Reference: https://www.hhs.gov/hipaa/for-professionals/security/laws-re...

pedalpete4y ago

First off I'd go into my health insurance portal and change my password. Then use the forgot password, and see if they are still mailing your password in plain text. Do a bit of investigation to confirm that all passwords are still stored in plain text.

Once you can confirm that your password is sent in plain text, I'd contact the insurer to make sure they are aware of the security implications.

If you've read Troy Hunt at all, take a book out of his practice. They probably won't make any change, or understand, but you've tried to help.

Then, change insurance companies if you fear your data is at risk, which it probably is.

blackclub24y ago

Seems like we neeed more context? If you simply forget your password often, you can utilize password managers like LastPass or C2 Password to help to memorize credentials

hedora4y ago

If it's a new account, no big deal. Just reset the password. If someone MITMed the email, and hijacked the account, then call customer service.

Otherwise, no harm, no foul?

(Hopefully it will force a reset on first login, and reject the emailed password...)

willcipriano4y ago

Needs more context, that sounds like a human sent that email. Did you request something out of the ordinary to cause a human to be involved in account sign up? When you login, are you promoted to change the password?

armendhammer4y ago

Could the FCC get involved in this or would that be the wrong agency to contact?

jazzyjackson4y ago

Unless your credit card info is also plaintext, I don't think it is a law or anything, no?

And this is a password you set? old systems would email you a new password to log in & change it, vs a one time use link nowadays.

bin_bash4y ago

just don't use that password anywhere else

j / k navigate · click thread line to collapse