The PJ Tatler

Dozens of Dems Defect to Vote with GOP on Obamacare Security Bill

Perhaps they didn’t want to be associated with an administration that wants to keep any security breaches at the healthcare.gov website secret.

You pays your monies and yous takes your chances…

The Hill:

Dozens of House Democrats broke ranks with President Obama on Friday to support legislation that would require people to be notified of security breaches under ObamaCare.

The House passed the Health Exchange Security and Transparency Act, H.R. 3811, in a 291-122 vote. Sixty-seven Democrats voted for the bill, ignoring arguments from party leaders that the bill was a “messaging” vote meant to discourage people from signing up for insurance.

The one-sentence bill says that no later than two business days after any security breach on an ObamaCare site is discovered, “the Secretary of Health and Human Services shall provide notice of such breach to each individual.” Republicans said that under current law, the government is not required to notify people if their information is put at risk.

“It may shock some people to learn that there is no legal requirement that the Department of Health and Human Services notify an individual if his or her personal information is breached or improperly accessed through the Affordable Care Act’s exchanges,” said Rep. Joe Pitts (R-Pa.).

The White House said it opposed the bill, arguing the government already has plans to tell people if their information has been compromised.

But that argument didn’t sway a large group House Democrats, many of whom fear the problem-plagued rollout of ObamaCare will cost them at the polls in November.

House Oversight and Government Reform Committee Chairman Darrell Issa (R-Calif.) said the new requirement is critical because a senior official at the Centers for Medicare and Medicaid Services (CMS) advised in September that the site should not be launched due to security problems. Teresa Fryer, the Chief Information Security Officer at CMS, testified before Issa’s committee late last year.

“The truth is that actual interviews and depositions taken of the highest-ranking people that helped develop this website, both public and private, shows there was no end-to-end testing,” Issa said Friday. “It did not meet the spirit of any definition of a secure website.”

Democrats rejected those arguments, and said Republicans were not explaining Fryer’s complete views on the security of HealthCare.gov.

“All week, Republicans have been trying to make their case for this bill by quoting from a memo drafted by the chief information security officer at CMS about concerns before the website was launched,” said Rep. Elijah Cummings (Md.), the top Democrat on Issa’s committee. “But they omit one critical fact: this official never sent the memo. It was a draft, and she never gave it to anyone, including her own supervisor.”

Shorter Cummings: The website is a hacker’s dream and the government knows it, but memos like the one drafted by Fryer were never sent in order to keep a lid on the problem.

It hardly matters. Henry Chao, project manager at CMS for the website, says he never saw another memo from a CMS IT expert, Tony Trenkle, who described “limitless” security problems with the site. Whether Fryer sent her memo or not is irrelevant. There were others at CMS who knew full well the security shortcomings with the site.

Chao said he was unaware of a Sept. 3 government memo written by another senior official at CMS. It found two high-risk issues, which are redacted for security reasons. The memo said “the threat and risk potential (to the system) is limitless.” The memo shows CMS gave deadlines of mid-2014 and early 2015 to address them.

But Chao testified he’d been told the opposite.

“What I recall is what the team told me, is that there were no high findings,” he said.

Chao testified security gaps could lead to identity theft, unauthorized access and misrouted data.

According to federal guidelines, high risk means “the vulnerability could be expected to have a severe or catastrophic adverse affect on organizational operations … assets or individuals.”

It was Chao who recommended it was safe to launch the website Oct. 1. When shown the security risk memo, Chao said, “I just want to say that I haven’t seen this before.”

A Republican staff lawyer asked, “Do you find it surprising that you haven’t seen this before?”

Chao replied, “Yeah … I mean, wouldn’t you be surprised if you were me?” He later added: “It is disturbing. I mean, I don’t deny that this is … a fairly nonstandard way” to proceed.

The fact is, Democrats like Cummings would rather keep consumers in the dark about their personal info being stolen lest others get nervous about signing up using the site. Putting political success ahead of protecting American”s privacy is about what we’ve come to expect from CMS and the administration.