Federal investigators found significant cybersecurity weaknesses in the health insurance websites of California, Kentucky and Vermont that could enable hackers to get their hands on sensitive personal information on hundreds of thousands of people.

And some of those flaws have yet to be fixed.

The vulnerabilities were discovered by the Government Accountability Office, the investigative arm of Congress, and were shared with state officials last September.

The publicly released version of the GAO report did not identify the three states that were studied, but The Associated Press obtained their names through a Freedom of Information request.

Vermont authorities would not discuss the findings, but officials in California and Kentucky said this week that there was no evidence hackers succeeded in stealing anything.