A contractor for the troubled HealthCare.gov website produced documents to Congress demonstrating that the government opted to launch the website on Oct. 1 despite potential security problems for customer private data, Rep. Darrell Issa (R-Calif.) said in a letter to Health and Human Services Secretary Kathleen Sebelius.
Issa, the chairman of the House Oversight and Government Reform Committee, also wants to meet directly with Sebelius regarding security concerns.
Health and Human Services Secretary Kathleen Sebelius testifies on Capitol Hill in Washington, Wednesday, Dec. 11, 2013, before the House Energy and Commerce Committee hearing on the implementation failures of the Affordable Care Act. Playing catch-up with a long way to go, President Barack Obama's new health insurance markets last month picked up the dismal pace of signups, the administration reported Wednesday. (AP Photo/Susan Walsh)
Last week two companies -- MITRE Corp., and Creative Computing Solutions Inc. (CCSi) – agreed to provide information to the committee despite urging by HHS not to cooperate.
Specifically MITRE security documents show that the administration’s decision to move forward with the website launch by Oct. 1 despite the website vulnerabilities.
“The full context of MITRE’s assessment, which the Department had in its possession prior to the October 1 launch date, shows that CMS and HHS knew that HealthCare.gov was vulnerable yet your statements have not given the American people a fair and accurate assessment of known risks,” Issa wrote to Sebelius.
The Issa letter said this information contradicts Sebelius's earlier assertions, “When there have been issued identified for flagged, it's immediately fixed.”
HealthCare.gov had a disastrous start in October, prompting an investigation by Congress and recently a probe by the HHS Inspector General has commenced at the request of Sebelius. The website was to be the primary means for customers to purchase government-approved insurance plans on the marketplace exchanges.
“Among the unaddressed security risks that went live on October 1, MITRE indicated eleven ‘will significantly impact the confidentiality, integrity and/or availability of the system or data….’ if the technical or procedural vulnerability is exploited,” Issa's letter says.
Issa seemed to address the White House has expressed concern that because of the oversight's record of leaking to the press, some of the security information would not be safe with the committee.
“While I am withholding sensitive technical details, one security finding summary states, ‘Any malicious user having knowledge of this can perform unauthorized functions.’ The summary of another discusses a system weakness that makes a particular type of sensitive information vulnerable,” Issa added. “Part of the finding states this, ‘increases the risk that they will be captured by an attacker.’ A third, which the document indicates HHS was supposed to address in the days immediately before launch, ‘The attacker is able to see and edit PII of the victim’”
HHS did not respond to an e-mail inquiry from TheBlaze regarding Issa's assertion. In a phone call, a staffer from the HHS public affairs office said he would look for response, but has not responded as of press time.
The Issa letter also noted that despite what the White House had claimed, the committee has not resisted the opportunity to meet with the secretary about the website issues.
“Contrary to the assertion made by the White House, neither I nor anyone on my staff has expressed an unwillingness to meet with you for a discussion about both the ongoing security vulnerabilities noted in the MITRE documents as well as the rationale for proceeding on October 1, 2013,” Issa said in the letter. “Indeed, my staff repeatedly has told your staff that it would welcome a page by page discussion of the MITRE documents and any concerns about the public release of any information once the documents were properly and fully produced to the Committee.”