Suppose there was a company that deliberately designed a website with big enough holes in security that you could drive a semi through them. Further suppose that the company then launched a billion-dollar ad blitz luring customers to that site. The CEO of the company went on national TV touting the benefits of the website and urged people to use it.
Later, when the security flaws were exposed by identity thieves and hackers who proceeded to steal the personal information of users, wouldn’t that company be liable for any losses suffered by consumers? Perhaps some enterprising prosecutor could even charge principles in the company with criminal facilitation, given the deliberate design flaws that resulted in the security breach.
Yes, we’re talking about HealthCare.gov and the jaw-dropping evidence that has come to light that the website was constructed without security being built into it.
“When you develop a website, you develop it with security in mind. And it doesn’t appear to have happened this time,” said David Kennedy, a so-called “white hat” hacker who tests online security by breaching websites. He testified on Capitol Hill about the flaws of HealthCare.gov last week.
“It’s really hard to go back and fix the security around it because security wasn’t built into it,” said Kennedy, chief executive of TrustedSec. “We’re talking multiple months to over a year to at least address some of the critical-to-high exposures on the website itself.”
Even more incredibly, not only is the administration denying there’s much of a problem, the president himself is leading the effort to lure the marks right into the tender clutches of the thieves and hackers circling the website like vultures as this is being written:
Now that the website is working for the vast majority of people, we need to make sure that folks refocus on what’s at stake here, which is the capacity for you or your families to be able to have the security of decent health insurance at a reasonable cost through choice and competition on this marketplace and tax credits that you may be eligible for that can save you hundreds of dollars in premium costs every month, potentially.
So we just need people to — now that we are getting the technology fixed — we need you to go back, take a look at what’s actually going on, because it can make a difference in your lives and the lives of your families. And maybe it won’t make a difference right now if you’re feeling healthy, but I promise you, if somebody in your family — heaven forbid — gets sick, you’ll see the difference. And it will make all the difference for you and your families.
The hackers can read too. You’ve got to assume they’ve been perusing the same stuff we’ve been reading about the “limitless” security problems with HealthCare.gov. How long do you think it will be before we have our first major hack of the website? Or one of the state exchanges?
And do you think the administration will inform us if one occurs?
It may well be open season on insurance consumers if they use the HealthCare.gov website, but it will also be open season on taxpayers because the IRS has failed to design a system that will be able to detect fraudulent attempts to game the subsidy regime by cheats who will try to receive benefits for which they are ineligible.
In effect, the IRS is putting us on an honor system where we are all supposed to accurately report our income. It is an open-ended invitation to fraud, as the Treasury inspector general for tax administration points out in a report issued Tuesday:
“The IRS’ existing fraud detection system may not be capable of identifying (Affordable Care Act) refund fraud or schemes prior to the issuance of tax return refunds,” said the report by J. Russell George, the Treasury inspector general for tax administration. “The IRS reported that the long-term limitations of its existing fraud detection system include its inability to keep pace with increasing levels of fraud,” the report said.
Less of a problem but still a potential fraudster’s dream will be the lack of reporting by companies in group plans that already offer their employees “affordable” coverage. Because of the delay in the employer mandate, companies won’t be telling the IRS what kind of plans they are offering their employees. An enterprising cheat could drop his “qualifying” employer-sponsored coverage, choose a plan via the exchange, receive a subsidy making his premium dirt cheap, and because the IRS has no clue that his employer was sponsoring a “qualified” plan, he would get away with bilking the taxpayer.
Rather than actually address the potential for fraud, acting IRS Commissioner Danny Werfel put on his happy face and told us the IRS has mastered basic arithmetic and can accurately figure taxpayer subsidies:
“The IRS has a strong, effective system in place for administering the Premium Tax Credit,” Werfel said. “We have a proven track record of safely and securely transmitting federal tax information, and we have a robust and secure process in place to deliver this important credit for taxpayers.”
Mr Werfel should also know that the IRS has a proven track record of failing miserably to scotch fraud when dispensing tax credits:
“Refundable credits are fraught with fraud peril,” Robert Kerr, senior director of government relations at the National Association of Enrolled Agents, said in an email.
“Lots of money goes out the door, and IRS generally cannot determine in advance whether the taxpayer is truly eligible.”
Inviting hackers and identity thieves to ply their trade by deliberately ignoring key security issues for the website while also holding the door open for fraud and abuse at the IRS is nothing less than aiding and abetting criminals in the commission of their crimes. These are not honest mistakes, or even simple bureaucratic blunders. The political imperatives of rushing to get the HealthCare.gov site online without adequate attention to built-in security and the usual carelessness we get from the IRS when it comes to guarding the taxpayers’ cash is a disaster-in-waiting.
The administration is midwife to a potential crime wave for which nobody appears to be accountable.