FIXED: As of 11/05 (maybe sooner), this issue has been fixed. The last step of account creation no longer sends the email verification code (also the password reset code) to the user's browser. This fix should now prevent people from activating accounts using others' or fake email addresses.
At the end of the Healthcare.gov account creation process, they send an email to the provided email address that contains a URL to activate your account. Email verification systems like this are common and help ensure the person who creates an account on a system actually owns the email account.
However, Healthcare.gov's email validation is fundamentally flawed. It is flawed in that it returns the email verification code (the one that is emailed) to the browser. This enables people with malicious intent to create a Healthcare.gov account with another's email and activate it without receiving the verification email.
The design of this email verification system suggests it was created by someone with no understanding of the purpose of what they built.