November 15 marks the start of the second open enrollment period for ObamaCare. Once again, millions of Americans will be trying to log on to the government healthcare website, HealthCare.gov, to find health insurance. Sadly, once again, they will be risking the theft of precious personal data to computer hackers and others who seek to benefit from stealing that information.
This is the same sorry scenario we saw last year when the ObamaCare website first opened for business on October 1, 2013. The failures of the website dominated the news for the next six months. People spent hours just trying to find health insurance to no avail due to the numerous “glitches”, to use the White House explanation, that plagued the website.
Among these many “glitches” was the failure to build in the necessary security measures to assure all those signing up that their personal data would not be stolen.
This concern was expressed in an article published in The Weekly Standard by Michael Astrue, former commissioner of Social Security until his resignation in February 2013. He pointed to the failure of former administrator of the Centers for Medicare and Medicaid Services (CMS), Donald Berwick, to create systems for the exchanges, which required peripheral support from the Social Security Administration (SSA) and the Internal Revenue Service (IRS). He also failed to persuade HHS Secretary Sebelius to spend one penny on this effort from her massive ACA discretionary fund.
Astrue wrote, “The system’s lack of any substantial verification of the user would leave members of the public open to identity theft, lost periods of health insurance coverage, and exposure of address for victims of domestic abuse and others. . . In reality, the beta version jammed through a few months ago will, unless delayed and fixed, inflict on the public the most widespread violation of the Privacy Act in our history.”
These words, written about two months before the opening of the exchanges on October 1, 2013, were prescient. Testimony in Congress later by security experts confirmed his worst fears. David Kennedy, CEO of TrustedSec, a cybersecurity expert and former hacker, said this:
“It’s really hard to go back and fix the security around it because security wasn’t built into it. We’re talking multiple months to over a year to at least address some of the critical-to-high exposures on the website itself.”
His opinion was shared by another security expert, Morgan Wright, CEO of Crowd Sourced Investigations who said, “There’s not a plan to fix this that meets the sniff test of being reasonable.”
That was the assessment of the security experts one year ago with the disastrous rollout of the ObamaCare website. Now, with the second open enrollment about to begin, it seems that little has changed
HealthCare.gov Still Insecure
Astrue once again writes in The Weekly Standard, calling attention to the insecurity of the website on the eve of the second open enrollment. He says that last year HHS came up with a clever way of reassuring Americans that they should not hesitate to hand their sensitive data over to a new bureaucracy in shambles. The prelaunch rhetorical trick was to focus on one small part of HealthCare.gov – what HHS calls the “data hub” – and claim that it does not “retain or store Personally Identifiable Information.”
Astrue says that this is true only insofar as it pertains to electronic communications between agencies to verify specific data the way that the Social Security Administration verifies Social Security numbers for employers. However, Congress and the media regularly took that statement to apply to the entire federal exchange and HHS did not volunteer that it retains detailed personal information on applicants and callers to its toll-free number –whether or not they buy insurance through the federal exchange. HHS also did not volunteer the fact that it solicits personal data from states that chose not to participate in HealthCare.gov.
HHS calls the system that stores data on health insurance “MIDAS” (Multidimensional Insurance Data Analytics System) and has subcontracted management of the system to CACI, one of the largest Beltway contractors, for $59 million for six years. At least six subcontractors now help run MIDAS, and one of them, the American Institutes for Research (AIR), recently solicited Affordable Care Act data from states unconnected to HealthCare.gov so that it could do with those data whatever it is doing with the federal data. AIR’s requested data elements include: name, address, phone number, mailing address, citizenship status, age, gender, race, primary language, and a description of the health plan the person selected.
Astrue explains the significance of all this:
“What this solicitation means is that HHS and its contractors collect data on people who never contacted HHS and never gave permission for the federal government to access their data, much less share it widely among contractors and then store it permanently with one or more of those contractors.”
So now you have a massive amount of data on Americans being stored in an unaudited contractor’s servers with an insecure website that stores data in other locations. This represents a security breach waiting to happen. Actually, this is already happening. This summer HHS suffered an embarrassing breach of HealthCare.gov, not by a sophisticated cyber attack by a foreign government or criminal enterprise, but apparently by a garden-variety malicious software roaming the internet that just happened to wander into the vulnerable peripheral section of HealthCare.gov.
Once again Astrue’s words were prescient:
“As I and others predicted last year, this part of HealthCare.gov was easily penetrated, and its security systems were so deficient that it took months for HHS to recognize the penetration. The Government Accountability Office reported on September 16 that HHS had not ‘fully addressed security and privacy management weaknesses, including having incomplete security plans and privacy documentation, conducting incomplete security tests, and not establishing an alternate processing site to avoid major disruptions.’ The GAO report also found that HHS had not followed Office of Management and Budget government-wide guidance for assessing the privacy risks of MIDAS.”
Once again Astrue lays the blame at the feet of HHS Inspector General Daniel Levinson – and President Obama. Levinson has failed to secure the website and failed to notify Congress and the President of the seriousness of the situation. President Obama has failed to hold Levinson accountable and to notify the American people of the insecurity of HealthCare.gov.
A Suggested Presidential Apology
Astrue says an apology is needed to the American people and offers the president some words of advice on how it should sound:
“I want to apologize again for incorrectly assuring Americans that HealthCare.gov was ready for launch and that all Americans would be able to keep their insurance plans. I recognize, too, that many Americans lost valued physicians when they lost their insurance plans, and I regret that result as well.
Today I also want to acknowledge that the data held by HealthCare.gov are not as secure as HHS told both you and me. I accept responsibility for that failure and apologize for it. Furthermore, I am taking these actions: (1) I have accepted the resignation of HHS inspector general Daniel Levinson. (2) I am directing the acting HHS inspector general to prepare a report within the next 100 days for me and the relevant congressional oversight committees that lists all locations where HHS collects personal data pursuant to the ACA and a list of all the organizations and individuals with access to those locations. I am further directing the acting inspector general to develop a schedule for promptly performing security audits at each location where personal data are stored. (3) I am directing the HHS secretary to suspend collection of personally identifiable information from states that operate their own health exchanges until such time as the attorney general has advised me that collection of these data is fully consistent with all requirements of federal law.”
Anyone believe such an announcement is likely this week before the second open enrollment period begins?