HealthCare.gov, the health insurance website serving more than 5 million Americans, has significant security weaknesses that put users’ personal information at risk, nonpartisan congressional investigators have found.

The Government Accountability Office said the Obama administration must resolve more than 20 specific security issues related to who can get into the system, who can make changes in it and what to do in case the complex network fails.

GAO, the investigative arm of Congress, found that the administration took a risk going live with HealthCare.gov last fall when the complex system was still not fully tested. Some testing was incomplete as of June.

While the administration “has taken important steps to apply security and privacy safeguards to HealthCare.gov and its supporting systems, significant weaknesses remain that put these systems and the sensitive, personal information they contain at risk of compromise,” Gregory Wilshusen, GAO’s director of information security, said in testimony prepared for the House Oversight and Government Reform Committee. The committee released his testimony Tuesday.

In its public assessment, the GAO outlined six broad areas where more work needs to done. They ranged from basics like following recommended best practices for government agencies, to more comprehensive testing of all elements of the system, to establishing a backup site for the HealthCare.gov and its supporting networks.

In an accompanying report that was not publicly released, Wilshusen said the agency listed 22 specific recommendations to resolve technical flaws. He said the administration agreed with all 22 specific recommendations, although it differed with some of the broader suggestions.

HealthCare.gov was hacked this summer, but no consumer information was stolen. Instead, hackers installed malicious software that could have been used to launch an attack on other websites from the federal insurance portal.

Federal computer systems get hundreds of cyberattacks every day, but this was believed to be the first successful one involving HealthCare.gov.

The health care site had numerous technical problems when it was launched last fall and was initially unworkable for most consumers. Among the issues that concerned the administration’s own technical experts at the time was that security testing could not be completed because the system was undergoing so many last-minute changes.

The part of HealthCare.gov that serves as the entry way for consumers eventually passed security certification, but the GAO revealed that security testing continued well into this year on other important components that deal with health plan information and financial management.

The report also confirmed flaws in state computer systems linking to the federal network, a problem reported earlier this year by The Associated Press.

Created by President Barack Obama’s law, HealthCare.gov is the online gateway to subsidized private insurance for people who don’t have access to a health plan on the job.

The site currently serves 36 states, and more may be added when open enrollment starts Nov. 15. The remaining states run their own insurance exchanges.

One of those states, Vermont, announced Tuesday that its technically troubled site has been taken down to fix numerous issues, including several security problems. Federal officials had been talking with their state counterparts about the concerns, and an administration spokesman in Washington said Vermont agreed to complete a series of fixes.

The Oversight and Government Reform Committee was scheduled to hold a hearing Thursday on the GAO report and the outlook for the second year of HealthCare.gov.

(AP)