Just days before the security of the Obamacare website is the subject of a new report by an independent government agency, a watchdog group today released documents showing federal health officials knew about security vulnerabilities in the run-up to the site’s shaky launch last fall.
Judicial Watch said it obtained 94 pages of government documents detailing HealthCare.gov’s “massive” security risks.
The documents, the watchdog said, show that officials at the Department of Health and Human Services and a subordinate agency, the Centers for Medicare and Medicaid Services, decided to roll out the online insurance exchange despite knowledge of the security flaws.
Tom Fitton, president of Judicial Watch, said in a prepared statement:
These are more smoking gun documents that the Obama administration knowingly put the privacy of millions of Americans at risk through Obamacare’s HealthCare.gov ‘marketplace.’ And these documents show that this administration was concerned about the political problems of the security flaws but couldn’t care less about the threat to privacy of millions of Americans.
A report on security issues by the Government Accountability Office is expected later this week.
“These documents show that this administration was concerned about the political problems of the security flaws but couldn’t care less about the threat to privacy of millions of Americans,” says @TomFitton
The documents obtained by Judicial Watch point to security risks that include a vulnerability allowing “malicious code” to be uploaded into HealthCare.gov’s system.
That threat, according to a memo dated Sept. 3, 2013, is “limitless.” In the memo, CMS instructed that the glitch be fixed by May 31, 2014 — seven months after HealthCare.gov launched.
A second flaw identified by CMS had to do with the agency’s database for keeping track of security problems and fixes, called the CMS FISMA Controls Tracking System, or CFACTS. Controls for HealthCare.gov were labeled “not satisfied.”
The memo said:
There is the possibility that the FFM [federally facilitated marketplace] security controls are ineffective. Ineffective controls do not appropriately protect the confidentiality, integrity and availability of data and present a risk to the CMS enterprise.
The due date officials gave to remedy the problem was Feb. 7, 2014 — four months after the launch of the online insurance marketplace.
Officials, to avoid delay, rolled out HealthCare.gov before a full security control assessment of the system had been completed.
CMS hired Mitre Corp., located in Massachusetts and Virginia, to test the security of HealthCare.gov. The technology company was awarded contracts worth an estimated $160 million.
According to the documents obtained by Judicial Watch, the agency instructed Mitre to assign security vulnerabilities a “risk level,” from high to low. A rating of “high,” CMS warned, could lead to “significant political, financial and legal damage,” while “moderate” and “low” risks could cause “financial loss or public embarrassment to CMS.”
The Daily Signal has sought comment from CMS on what the documents reveal, so far without result.
Congressional investigators previously exposed security flaws in HealthCare.gov after its launch was fraught with malfunctions and system failures. However, for “security reasons,” specific details were redacted from reports HHS released.
The newly released documents come just weeks after federal officials said hackers broken into a part of the online insurance exchange in July. Hackers uploaded malicious software, the Wall Street Journal reported, but did not steal or view consumers’ personal information.
“Today’s news that HealthCare.gov was hacked should come as a surprise to no one,” Sen. Orrin Hatch, R-Utah, said of the development. “Despite numerous warnings from myself and other lawmakers that security breaches were possible, HealthCare.gov underwent virtually no independent security testing. … It’s yet another deeply disturbing failure of the president’s health law, and once again it is the American people who are bearing the brunt of the law’s failures.”