The government's own watchdogs say they tried to hack into HealthCare.gov earlier this year and found what they termed a critical vulnerability.
But they also came away with respect for some of the security features on the Obama administration's health insurance website.
The report is being released Tuesday by the inspector general's office of the Health and Human Services Department.
It amounts to a mixed review for the federal site that serves as the portal to taxpayer-subsidized health plans for millions of Americans.
So-called white-hat hackers from the inspector general's office say they found a critical vulnerability during their security scans.
But the office said that when its experts attempted to mimic what a malicious hacker might try to do next, they were blocked by the system's defenses.