Fixed Obamacare site still not secure, says hacker
The fixes completed this past weekend to get the federal Obamacare website running more smoothly for consumers did nothing to address security concerns, a cybersecurity expert who testified before Congress last month told CNBC on Thursday.
"If you look at the report that was released, they had fixed 400 bugs. None of those were addressed on security," said David Kennedy, a so-called "white hat" hacker who tests online security by breaching websites.
"There haven't been any [security] fixes yet, he said in a "Squawk Box" interview. "You're trying to rush to keep the website—the front-end that we see everyday—up-and-running. Unfortunately when you do that and you don't do any testing around that, you introduce new exposures."
House Intelligence Committee Chairman Mike Rogers, R-Mich., echoed those sentiments in a separate appearance on the show. "We know that it's never been end-to-end stress-tested in way that the industry would accept to even put anything online."
(Read more: Site fixed, Obamacare enrollments spike)
Shortly after delivering his assessment of vulnerabilities to a House panel on Nov. 19, Kennedy appeared on "Squawk Box," saying security was never built into the website in the first place. It was an assertion disputed at the time by the Department of Health and Human Services, which oversaw the implementation of the HealthCare.gov.
HHS had said the components used to build the site are compliant with standards set by federal security authorities. It stood by that statement Thursday, saying: "The privacy and security of consumers' personal information are a top priority for us. Security testing happens on an ongoing basis using industry best practices to appropriately safeguard consumers' personal information."
Kennedy disagreed then and did so again on Thursday, telling CNBC that the so-called back-end of the website is a "train wreck."
Rogers said HealthCare.gov needs to be shut down and fixed by "outside, independent groups that do this for a living."
The federal website has almost 5 million lines of code, he said, claiming that the average corporate e-commerce site would have around 500,000.
"So now you've got all that added vulnerability that's really never been tested," he claimed.
He said the worst-case scenario of a HealthCare.gov breach could be a sophisticated "nation-state hacker" getting behind the government's online firewall. That would increase the likelihood the intruder would get sensitive data from the IRS, Department of Homeland Security or other federal agencies.