Letter to Legislative Auditor about MNsure.org Security Problems, Feb 2, 2014
MNSure.org No Testing or QA, MN.IT Services FAIL
MNSure Security Problems
MNSure Bait and Switch Month Long Backlog
MNSure Citizen Reject Ripoff Private Insurance
MNSure Redesigned to use Prescreening
MNSure PR Propaganda
MNSure Minor Fixes to Up Enrollment
MNSure Enrollment Lags Compared to Successful State Exchanges
Minneapolis Star Tribune Health beat: Data guy questions MNsure system
Dear Legislative Auditor,
I have some specific concerns about security for your report on MNsure.
I have been trying to get health coverage using MNsure since the 3rd week of October, so far nothing.
-
Since Jan 7, 2014 I have seen the well known "man in the middle attack" problem of mixing http and https
on the same https page as shown by my FireFox browser. Here are pages with this problem on 3 subdomains.
https://plans.mnsure.org/mnsa/planadvisor/plan_advisor.htm?flow=anonymous
https://payment.mnsure.org/financials
https://auth.mnsure.org/appeals/appeals-information-page.jsp
-
There is an SOW at http://mn.gov/buyit/statements/3181.pdf to do a several phase 3rd party security audit on MNsure. I have not seen any part of its report. Did the contract get let? Who got the contract? Where are the audit reports are they a part of the project record documents?
-
REMOVE ADDTHIS.COM from MNSURE.ORG
Addthis.com on MNsure.org is a commercial website that is tracking and selling my information by putting linking menus to Facebook, Twitter, etc. This has nothing to do with my private decision to get health care.
Addthis.com is known for a malware browser tool bar that changes home pages, broadcasts your information and is difficult to remove like a virus. I do not want the State of MN to give my private insurance decisions away to be sold by mercenary commercial sites.
Addthis.com javascript files are also double installed incorrectly on the www.mnsure.org
home page adding to overhead. On my browser, Firefox, the Addthis.com menu garbage covers up part
of the MNsure menu making it even more difficult to use the already terrible MNsure.org site navigation.
Third party site dependencies affect uptime and website response. With the current uptime record of mnsure.org the site does not need third party dependencies.
-
REMOVE GOOGLE-ANALYTICS.COM from MNSURE.ORG
google-analytics.com is throughout the MNsure.org website, supposedly for "analysis". The effect is the State of MN is giving away my private insurance session information, possibly income, family and state program information to a known tax dodging mercenary company that has had its information given to the NSA and stolen by the NSA and possibly others.
It is laughable that any MNsure "analysis" is taking place with "google-analytics" since the MNsure software development, testing and implementation is an OPTUM REPORT documented shambles and they clearly have not even looked at the obvious existing webserver error logs to clear up any of the broken links, missing pages and broken scripts scattered throughout the web site since OCT 1. They do not have the people or the skills to even keep the website operating 24 hours at a time, much less "analyze" anything from google-analytics.
Third party site dependencies affect uptime and website response. With the current uptime record of mnsure.org the site does not need third party dependencies.
-
Netcraft.com shows a security risk,
in its report on MNsure.org. Will someone at MNSURE ask them what it is and fix it?