The Healthcare.gov account creation process is not the only system component to expose user email addresses: the email subscription management system makes it even easier to determine if an email address exists in the system.
The footer of emails from Healthcare.gov contain a link to a Subscriber Preferences Page that can be used to subscribe and unsubscribe to emails from Healthcare.gov.
Clicking the link goes to a form requesting an email address.
When I enter an email address associated with a Healthcare.gov Marketplace user account, the site shows that the email address is subscribed to a topic called "For Account Holders". There is no challenge to verify that I am the owner of the entered email address.
When I enter an email address that is not associated with a Healthcare.gov account, I get a different response -- a form to create an email subscription account.
In providing a different response for email addresses that have Healthcare.gov accounts and those that do not, this email subscription system is revealing whether or not an email address is tied to a Healthcare.gov account. This information may be useful to attackers seeking unauthorized access to Healthcare.gov.
Oh, and when I unsubscribed from emails, I got a confirmation email telling me that unsubscribing means that I'll receive future email updates.
You unsubscribed from topics:
You will receive an email update when new information becomes available.
- For Account Holders