Although the federal website exists at healthcare.gov, there are numerous state and third-party websites that don't have uniform domains.
To prevent getting scammed, "absolutely do not use a search engine as your starting point when looking for coverage," writes Christopher Budd, threat communications manager for Trend Micro security.
Instead, start at a known trusted source including the federal government's or your state government's websites. "Use these sites to identify the resources they’ve identified as trustworthy," Budd writes. "With that information you can then get more information by going to the sites they recommend (by typing the URL in yourself)."
In addition, legitimate third-party sites aren't required to provide site verification.
"A survey of state and third-party sites also shows that official sites aren’t required to provide the ability to verify the site using SSL [secure socket layers]: many of them don’t provide it for site verification at all, though the federal site does."
So, as people look for health care exchanges, "they're going to be faced with potentially hundreds or thousands of sites that claim to be legitimate but won’t be able to easily verify that claim."
Identity thieves, and other cybercriminals have been buying vaguely official-sounding domain names for months in anticipation of harvesting unsuspecting healthcare consumers' data, and some of these scam sites actually have better search-engine rankings than official sites.