The federal government's HealthCare.gov website continues to be riddled with flaws that expose confidential user data to the public, a security expert testified Thursday at a hearing on Capitol Hill.

David Kennedy, founder of security firm TrustedSec, told members of the House of Representatives Science Committee that only one of 18 issues he reported in November had been fixed, and even then he identified ways that attackers could bypass the remedy. Kennedy didn't discuss specifics of the vulnerabilities out of concern that details would make it easier for criminals to exploit the weaknesses. Generally, he said some of the weaknesses leaked usernames, e-mail addresses, and other data contained in user profiles onto the open Internet, making it possible for unauthorized people to access the information using Google or other search engines. The testimony came as top security officials from the US Department of Health and Human Services (HHS), which helps oversee HealthCare.gov, were appearing before a separate House hearing.

"TrustedSec cannot state with 100 percent certainty that the back-end infrastructure is vulnerable," Kennedy wrote in a statement submitted in advance of Thursday's proceedings. "However, based on our extensive experience performing application security assessments for over 10 years, the website has the symptoms that lead to large-scale breaches for large organizations. Also note that all exposures have been reported, and TrustedSec would be more than willing to have discussions with HHS to address the security concerns."

HealthCare.gov is the portal website that administers Obamacare in 36 states. The difficulty it had scaling to levels of even basic public interest during its rollout in October badly tarnished what is arguably President Obama's signature legislation. Shortly after the launch, Kennedy and several other security experts also criticized the site for failing to follow established practices for protecting user data. In November, Kennedy warned of 18 vulnerabilities. Since then, he said he has learned of at least 20 more from fellow researchers.

In his testimony, he wrote:

TrustedSec’s opinion still holds strong that the website fails to meet even basic security practices for protecting sensitive information of individuals and does not provide adequate levels of protection for the website itself. This opinion is not unique, as other security researchers such as Bob Rich did extensive reconnaissance on the website and notified multiple areas of the federal government without response. Additionally, a second researcher, Scott White from TrustedSec, also worked on the discovery of what we know today on healthcare.gov. At this time, the risk is still present at healthcare.gov and there has been little effort to address the concerns identified by multiple security researchers. The healthcare.gov security threats demonstrate a much larger problem for the federal government in general. The lack of formal security testing and proactive security measures to which to adhere in the federal government is alarming.

Officials with the Centers for Medicare and Medicare Services, the agency that runs the Obamacare site, issued a statement. "To date, there have been no successful security attacks on Healthcare.gov and no person or group has maliciously accessed personally identifiable information from the site." At Thursday's separate hearing before the House Oversight Committee, the chief information security officer for the agency further defended the security of HealthCare.gov.

Responsible disclosure is no disclosure

One of the problems with the debate about the security of the site stems from the lack of specificity about the vulnerabilities reported by critics. Details matter. Showing exactly what user data is exposed and under what conditions they can be extracted in real-world settings would go a long way in helping legislators and citizens decide if the threats are being overblown or if they're portrayed accurately. Unfortunately, such specifics often aren't possible in security discussions, since as Kennedy and others have noted, they make attacks easier for criminals to carry out. Some researchers refer to the highly selective release of details as "responsible disclosure."

If federal officials really want to assuage concerns about the site's security, they should hire whitehat hackers to perform a thorough penetration test. The auditors should try the same potent techniques criminal hackers use everyday on high-value targets, including those used to carry out the devastating network breach of retail chain Target. Officials should then publish the results, in partially redacted form if necessary, and use them to fix any serious flaws.

Until then, it will be hard for many people to use HealthCare.gov with confidence, particularly in light of the problems that have already plagued the site.