In an exclusive interview with CNN aired Tuesday night, Health and Human Services Secretary Kathleen Sebelius said President Obama only learned about the issues with the healthcare exchange website in “the first couple of days” after the Oct. 1 launch.
“No one could be more frustrated than I am and the president,” Sebelius told CNN’s Dr. Sanjay Gupta. “We’re not at all satisfied with the workings of the website. We want it to be smooth and easy and let consumers compare plans.”
When Gupta pressed the secretary on whether Obama knew about the site issues before Oct. 1, Sebelius responded, “No.”
But the inspector general for HHS issued a report at the beginning of August noting that the Centers for Medicare & Medicaid Services missed multiple deadlines for testing and reporting data security risks in connection with signing up on the healthcare exchanges as they barreled toward the launch date.
“Several critical tasks remain to be completed in a short period of time, such as the final independent testing of the Hub’s security controls, remediating security vulnerabilities identified during testing, and obtaining the security authorization decision for the Hub before opening the exchanges,” said the report from Deputy Inspector General for Audit Services Gloria L. Jarmon to CMS Administrator Marilyn Tavenner and Chief Information Officer Tony Trenkle.
Tavenner was confirmed to her post in May. She succeeded Donald Berwick, a controversial recess appointment who eventually had to step down before he faced a losing Senate vote. Tavenner is set to appear before the House Ways & Means Committee next Tuesday to explain the Obamacare site failings.
The inspector general’s review approached “the adequacy of the development and testing of the Hub from a security perspective.” This included interviewing the contractors and CMS employees involved and reviewing the security testing data from March to May.
At the time of the review, “CMS and its contractors were continuing to develop the Hub and work with its Federal and State partners in testing the Hub to ensure its readiness in time for the initial open enrollment to begin.”
The report noticed that deadlines had been bumped and new “very tight deadlines” established to rush to finish security testing and certification of the site with the security authorization decision slated for Sept. 30, the day before launch.
This Aug. 2 report was hardly a secret confined to HHS. Senate Minority Leader Mitch McConnell (R-Ky.) used the report to call on the administration to not force people onto healthcare exchanges when the government was missing testing deadlines and benchmarks on the security of personal and financial data.
McConnell sent a letter to Tavenner stating “Americans should not be forced to enter into exchanges when CMS is so ill-prepared to guarantee the protection of personal data and taxpayer resources from hackers and cyber criminals who would use this sensitive data for personal gain.”
“As you know, I oppose Obamacare and support its full repeal. Yet in recent months, even some of the Administration’s closest allies have raised alarms about the potential implementation ‘train wreck’ to come. While I believe we ought to repeal this law and replace it with commonsense reforms that lower cost, Americans ought to be assured, at an absolute minimum, that their personal and financial data will be safe from data thieves,” he added.
McConnell noted that the final report from an independent testing organization assessing the system’s security was not even expected by HHS until 10 days before launch — “hardly enough time to fix any problems that may be identified.”
“Adding to these concerns are reports that CMS has signed a $1.2 billion contract with a company to receive, sort, and evaluate applications for financial assistance in the exchanges that include personal, sensitive data. According to published reports, this particular company ‘has little experience with the Department of Health Human Services or the insurance marketplaces, known as exchanges, where individuals and small businesses are supposed to be able to shop for insurance,’” the senator continued. “And just last year, it was disclosed that more than 120,000 enrollees in the federal Thrift Savings Plan had their personal information, including Social Security numbers, stolen from your contractor’s computers in 2011.”
He requested that CMS not rush forward with any sloppy security certification just to meet an Obamacare timeline.
“While I have grave concerns about this law under any circumstance, Americans should not be forced into the exchanges, and certainly not without these assurances,” McConnell wrote. “If you rush to go forward without adequate safeguards in place, any theft of personal information from constituents will be the result of your rush to implement a law to meet the agency’s political needs and not the operational needs of the people it is supposed to serve.”
Sen. Lamar Alexander (R-Tenn.) last week circulated an InformationWeek article detailing five “red flag” Obamacare site security warnings: all-access request for other sites, clickjacking threat, cookie theft, fake site, and scam psychology. “Given the high profile of healthcare.gov and other portals, as well as the sensitive information they handle, it wouldn’t be surprising if identity thieves, at least, do begin probing healthcare.gov and other sites weaknesses,” the article states.
Cybersecurity company founder John McAfee said on Fox that the site architecture is “outrageous” and comes with “no safeguards” to protect personal data.
Alexander said that even with three years to prepare, the administration thought it could get away with a bug-ridden system because people would want the product so much they just wouldn’t mind.
“I’ve been warning that a train wreck is coming with this law, but the truth is that no train wreck has ever had this many warning signs,” the senator said. “The avalanche of last-minute delays should make every American anxious about the quality of the health care they’ll be able to purchase in October and the security of the information they’ll have to provide.”
Sebelius on Tuesday named incoming Director of the Economic Council Jeff Zients “to work in close cooperation with our HHS team to provide management advice and counsel to the project” to fix the tech disaster.
“Working alongside our team and using his rich expertise and management acumen, Jeff will provide short-term advice, assessments and recommendations,” Sebelius said in a statement. “We’ve also brought in additional experts and specialists drawn from within government, our contractors, and industry, including veterans of top Silicon Valley companies. These reinforcements include a handful of Presidential Innovation Fellows. This new infusion of talent will bring a powerful array of subject matter expertise and skills, including extensive experience scaling major IT systems. This effort is being marshaled as part of a cross-functional team that is working aggressively to diagnose parts of HealthCare.gov that are experiencing problems, learn from successful states, prioritize issues, and fix them.”
“In addition to our efforts to ramp up capacity and expertise with the country’s leading innovators and problem solvers, we have secured additional staff and commitments from our contractors, including CGI, the lead firm responsible for the federally facilitated marketplace technology. They are providing and directing the additional resources needed for this project within the provisions of their existing contract.” CGI Group is Canada’s largest technology company.
On CNN, Sebelius said the launch wasn’t pushed back because “waiting is not really an option.”
“There are people in this country who have waited for decades for affordable health coverage for themselves and their families,” she said. Sebelius added that she was able to create an account on healthcare.gov but didn’t try signing up “because I have insurance.”
The House Energy and Commerce Committee is holding a hearing Thursday on the Obamacare failures. Sebelius was invited to testify but declined, citing a conflict with her schedule.
“Secretary Sebelius had time for Jon Stewart, and we expect her to have time for Congress,” Chairman Fred Upton (R-Mich.) said in a statement.