By Jennifer Hickey
Congressional efforts this week demanding that HHS Secretary Kathleen Sebelius explain why the Obamacare website was launched before security issues were resolved comes after the administration repeatedly dismissed such concerns and stonewalled oversight efforts in the rush to meet the Oct. 1 deadline.
Senate Finance Committee Republicans wrote on Tuesday to Sebelius saying they had "serious questions" about the "privacy and security of the very detailed personal information being transmitted through the Federally Facilitated Marketplace."
The senators said that the Centers for Medicare and Medicaid Services (CMS) was required to get further security certification before launching the website on Oct. 1 and asked Sebelius to "describe in detail the security test that was completed on all aspects of the Healthcare.gov website."
Also demanding answers from Sebelius is Rep. Darrell Issa of California, chairman of the House Oversight and Government Reform Committee, who on Thursday subpoenaed the secretary for documents relating to the Obamacare rollout problems, including the security issue.
"The evidence is mounting that the website did not go through proper testing, including critical security testing, and that the administration ignored repeated warnings from contractors about ongoing problems," Issa said.
The Congressional demands for answers this week comes after previous warnings raising red flags about security issues relating to the Obamacare rollout were largely ignored by the administration.
An Aug. 2 Health and Human Services Inspector General report said that an assessment of the Obamacare website's security standards could not be offered because CMS failed to meet several deadlines to submit final security documents.
In June, Republican Sen. Orrin Hatch of Utah, ranking member of the Senate Finance Committee, raised alarm bells about security involving the health insurance exchange navigators in a letter sent to Sebelius.
Committee staffers confirmed to Newsmax that Sebelius never responded to the request for clarification of security measures. Hatch and his Republican committee colleagues sent a follow-up letter on the same issue to Sebelius earlier this month, setting a Nov. 12 deadline for HHS to respond.
The administration also ignored the internal warnings contained in a Sept. 27 internal memo about a "high risk" of fraud and abuse in the Healthcare.gov rollout, choosing to proceed with the program's debut Oct. 1 without delay.
CMS Administer Marylin Tavenner, who reports to Sebelius, received the internal memo expressing concerns that the Obamacare website was not sufficiently secure, but decided to continue with the scheduled roll-out.
The memo to Tavenner -- from CMS officials James Kerr, consortium administrator for health plan operations, and Deputy Chief Information Officer Henry Chao -- raised serious concerns about the security of applicants' personal data.
The memo warned that because the computer code has not been "tested in a single environment," there are "inherent security risks." The memo recommended taking further measures to address risks, but none included delaying the launch.
The August inspector's general report stated that it could not assess efforts by CMS to safeguard the security system because the data it received from the agency was incomplete due to repeated missed deadlines.
"Because the documents were still drafts, we could not assess CMS's efforts to identify security controls and system risks for the Hub and implement safeguards and controls to mitigate identified risks. If there are additional delays in completing the security authorization package, the CMS CIO [chief information officer] may not have a full assessment of system risks and security controls needed for the security authorization," the Inspector General stated.
In comments submitted to the Inspector General in response to the report, Tavenner maintained that CMS was "confident the Hub will be operationally secure and it will have authority to operate prior to October 1."
Less than a month before the launch date, Kay Daly, assistant inspector general for audit services, testified at a hearing of the House Homeland Security Committee that "CMS has reported to us that it has made additional progress on these key milestones, including obtaining its security authorization for the Hub on September 6, 2013." Daly added that officials in the OIG's office "have not independently verified CMS's progress since completing our audit."
On October 1, CMS went ahead and launched the website with only a temporary "authority to operate" certificate.
The letter from the Senate Finance Committee Republicans indicated that action may have violated the law.
The senators said it was their understanding that "each Centers for Medicare & Medicaid Services (CMS) system is required by law to obtain an Authority to Operate (ATO) certification that attests the system has met all testing requirements before it is placed into operation."
For consumers who heed President Barack Obama's advice to bypass the website and directly call health insurance exchange phone centers, their health information may not be any more secure.
Because there is no statutory requirement for call center staffers, also known as "navigators," to undergo complete background checks, questions have been raised about standards set by HHS to ensure patient privacy.
State officials also have expressed security concerns, particularly fears that the "navigators" may pose a threat to patient data.
Questions about what steps HHS has taken to ensure the navigators are properly trained and vetted, as well as what standards are in place to ensure patient privacy, were raised in an August letter penned by West Virginia Attorney General Patrick Morrisey.
Morrisey wrote the letter to Sebelius on behalf of 12 other state attorneys general, including Alabama, Florida, Georgia, Kansas, Louisiana, Michigan, Montana, Nebraska, North Dakota, Oklahoma, South Carolina and Texas.
"It is not enough to simply adopt vague policies against fraud," Morrisey said. "There are significant holes in the rules HHS has implemented already. We are very concerned about the risk of identity theft if those holes aren't addressed immediately or if the implementation of healthcare exchanges isn't delayed to allow for better regulations, more training for consumer outreach programs and better fraud prevention."
"These vague "standards' could open up a Pandora's box of privacy and security issues for consumers, states and even the federal government. Consumer privacy will be catch-as-catch-can in each program. It seems inevitable that personnel will be inadequately screened and trained, and they will be more prone to misappropriate private data -- whether intentionally or unintentionally. This is a disaster waiting to happen," Morrisey added.
The fears are not unfounded as news reports have identified breaches.
In September, the Minneapolis Star Tribune reported that a Minnesota state health insurance exchange employee accidentally sent an email file with Social Security numbers, names, business addresses and other identifying information on more than 2,400 insurance agents to a local insurance company.
While Florida is one of the states that conducts background checks and has barred navigators from working at state and county health centers, Republican Rep. Dennis Ross of Florida has introduced the "Security Before Access Act" to address inherent inadequacies in the structure, security, and integrity of the navigator program.
"It is ridiculous that navigators have such easy unsolicited access to people's personal information and that these same navigators aren't required by all states to undergo background checks," Ross told Newsmax.
"I think we can all agree that information security is of utmost importance. It's unacceptable that the president is dead set on hastily implementing this law when there are inherent grave security concerns," Ross said.
The bill would create licensing requirements for individuals seeking to become navigators, including background checks and would allow consumers to opt out of Obamacare individual mandate for insurance coverage until Congress has been assured that the navigator program is secure and has fully-implemented security protocols in place.
Republican Rep. Diane Black of Tennessee noted recently that the navigators "have no federal requirement to undergo background checks" which increases "the potential for identity theft and fraud is staggering, and why I have been trying to call attention to this issue since I first learned of it."