Federal investigators found significant cybersecurity weaknesses in the health insurance websites of California, Kentucky and Vermont that could enable hackers to get their hands on sensitive personal information on hundreds of thousands of people.
And in some cases, the flaws have yet to be fixed.
The vulnerabilities were discovered by the Government Accountability Office, the investigative arm of Congress, and were shared with state officials last September.
The publicly released version of the GAO report did not identify the three states that were studied, but The Associated Press obtained their names through a Freedom of Information request.
Lawrence Miller, Vermont's director of health reform, said in an email that the state had changed vendors since the period of the GAO review. During the transition, Miller wrote, "we ensured the correct controls were in place" to meet the federal standard.
Officials in California and Kentucky said this week that there was no evidence hackers succeeded in stealing anything.
April 8, 2016, 6:00 am: This story has been updated to include comments from Lawrence Miller.