FILE -- In this May 23, 2013 file photo, Peter Lee, executive director of Covered California, the state agency running the state's health insurance exchange, announces plans and prices that will be offered by private insurers during a news conference in Sacramento, Calif. California, Kentucky and Vermont had "significant" cybersecurity weaknesses in their state-run health insurance exchanges, federal investigators found, potentially exposing sensitive personal information for hundreds of thousand of consumers. (AP Photo/Rich Pedroncelli,file)
FILE -- In this May 23, 2013 file photo, Peter Lee, executive director of Covered California, the state agency running the state's health insurance exchange, announces plans and prices that will be offered by private insurers during a news conference in Sacramento, Calif. California, Kentucky and Vermont had "significant" cybersecurity weaknesses in their state-run health insurance exchanges, federal investigators found, potentially exposing sensitive personal information for hundreds of thousand of consumers. (AP Photo/Rich Pedroncelli,file)

Frankfort, Ky. — Federal investigators found significant cybersecurity weaknesses in the health insurance websites of Vermont, California and Kentucky that could enable hackers to get their hands on sensitive personal information about hundreds of thousands of people, The Associated Press has learned. And some of those flaws have yet to be fixed.

The vulnerabilities were discovered by the Government Accountability Office, the investigative arm of Congress, and shared with state officials last September. Vermont authorities would not discuss the findings, but officials in California and Kentucky said this week that there was no evidence hackers succeeded in stealing anything.

Regulators said that given the number of weaknesses they discovered in just the three states studied, other state-run health insurance exchanges could be vulnerable, too. The GAO recommended the federal government continually monitor cybersecurity at such sites.

Computer security flaws are just the latest headache for the state exchanges. Some, like Oregon’s, suffered crippling technical problems when they were launched in 2013. Some states, like Hawaii, turned operations back to the federal government because of cost concerns.

The GAO report examined the three states’ systems from October 2013 to March 2015 and released an abbreviated, public version of its findings last month without identifying the states. On Thursday, the GAO revealed the states’ names in response to a Freedom of Information request from the AP.

According to the GAO, one state did not encrypt passwords, potentially making it easy for hackers to gain access to individual accounts. One state did not properly use a filter to block hostile attempts to visit the website. And one state did not use the proper encryption on its servers. The report did not say which state had what problem.

Kentucky’s insurance exchange will be dismantled later this year. But Kentuckians’ information might not be any safer on the federal exchange.

According to the GAO report, Healthcare.gov had 316 security incidents between October 2013 and March 2015. Such incidents can include unauthorized access, disclosure of data or violations of security practices. None resulted in lost or stolen data, but the GAO said technical weaknesses with the federal system “will likely continue to jeopardize the confidentiality, integrity and availability of Healthcare.gov.”

In Vermont, Lawrence Miller, director of health reform for Democratic Gov. Peter Shumlin, would not discuss details of the GAO findings.