After three months of open enrollment and endless speculation, the Department of Health and Human Services released its third progress report for the Affordable Care Act this week that detailed  the demographics of enrollees.

Since Oct. 1, 2.2 million people have enrolled in plans via state and federal exchanges, and only 24% of  them are between the much-sought-after ages of 18-to-34, HHS reports. And while the Obama Administration says the report shows positive progress, it’s still far off from its original target numbers of enrollees.

The administration had set a own goal of having 3.3 million enrolled by the end of December 2013, and 7 million enrolled in year one of the ACA. Most importantly, 2.7 million of those year-one enrollees were expected to be young and healthy people to offset the cost of insuring older and less healthy individuals.

Under the ACA, every individual in the country must have insurance by the end of open enrollment period on April 1 or they will face a fine of $95 or 1% of their annual income for failing to comply.

Distance from Original Goals?

Yevgeniy Feyman, Manhattan Institute scholar, says the White House appears to be playing down their original goals, focusing instead on who is enrolling.

“They have moved as far away as possible from the 7 million number and the 3.3 million enrollee number for December. They are also no longer saying they need 40% of the pool to be young and healthy—they’re paring it back to 30%. This is bad for the public perception of the law, but the demographics could still get better.”

Brookings Institution visiting fellow Larry Kocot says there is still time and room for improvement in regard to the pool of enrollees.

“They are behind, so the focus is on the level of improvement they put in and how people are impacted by the rollout so far,” Kocot says. “And how many people are actually able to afford this.”

Another Deadline Delay

This week also brought about the tenth change or delay in the law since open enrollment kicked off on Oct. 1: the Pre-existing Condition Insurance Plan (PCIP) enrollment deadline is now March 15 from Jan. 31. The PCIP plan is a transitional program that provided coverage to people with pre-existing conditions starting in August 2010 until the federal and state exchanges went live.

“I think it’s a prudent step to protect vulnerable patients from instability that is still in the marketplace,” Kocot says. “Gaps in coverage are dangerous for them, it’s not a bad thing to do, but it demonstrates there are still issues with transitions and they are concerned about them.”

Feyman says he could see the deadline being further delayed if the demographics continue to skew towards older and less healthy people.

“The administration doesn’t want these people rushed into the exchanges, and they want to make sure the exchanges don’t become a high-risk pool,” he says. “By March 15, if they don’t have improved demographics, they may extend the deadline plan further into 2014.”

Congressional Security Hearings

A House of Representatives oversight committee held three separate hearings this week on the security of the federal exchange site Healthcare.gov, with Republicans questioning the safety of users’ data.

David Kennedy, a cyber security expert and head of computer security firm TrustedSec, called the site “100% insecure,” during his testimony Thursday.

Feyman says he fears security concerns will only worsen over time as hackers will figure out the site’s weaknesses and try to start taking advantage of those who apply online.

“With the website and exchanges, you have the open enrollment period and everyone knows about it—they know exactly when to jump in and that they have from March 31 till November to figure out how to steal people’s information,” he says.

Kocot says because continued issues with the site’s security continue to be raised, if a hack does occur, it will be a major issue for the administration.

“The committee is really concerned about and the administration seems to be saying, ‘everything is fine—there are no breaches,’” he says. “But the fact that people are on the record with their opinions—if there is a breach, it will be heard around the world. That being said, heightened emphasis on security isn’t a bad thing.” 

Follow Kate Rogers on Twitter at @KateRogersNews