Judicial Watch: HHS Documents Reveal Serious Behind-the-Scenes Security Concerns About Healthcare.gov
Contact: Jill Farrell, Judicial Watch, 202-646-5172
WASHINGTON, April 18, 2017 /Christian Newswire/ -- Judicial Watch today released 944 pages of Department of Health and Human Services (HHS) records showing that the Obamacare website was launched despite serious concerns by its security testing contractor, Mitre Corporation, as well as internal executive-level apprehension about security.
Judicial Watch obtained the HHS documents in response to a court order in a Freedom of Information Act (FOIA) lawsuit (Judicial Watch v. U.S. Department of Health and Human Services (No. 1:14-cv-00430)). The lawsuit was filed in March 2014 after HHS failed to respond to a December 20, 2013, FOIA request seeking:
- All records related to the security of the healthcare.gov web portal including, but not limited to, studies, memoranda, correspondence, electronic communications (e-mails), and slide presentations from January 1, 2012 to the present.
A July 2013 "Continuous Improvement Plan," prepared for updates and improvements to the healthcare.gov website, defines the "Change Control Board" as a provider of final approval on new features and "politically sensitive issues."
The documents reveal that Mitre recommended a "Denial Authorization to Operate" in the month prior to Obamacare's launch, noting that it could not adequately test the confidentiality and integrity of the system. It said that complete end-to-end testing of the system never occurred. Miter found that 11 "moderate" security findings and eight "low" findings remained open as September 19, 2013 – 12 days before the launch.
And an unsigned "Authorization to Operate" prepared just five days before Obamacare's launch, indicates that the site's "validation contractor" was "unable to adequately test the confidentiality and integrity of the [Federally Facilitated Marketplace] system in full." That contractor, Blue Canopy, noted that they were able to access data "that should not be publically accessible."
On October 1, Americans started shopping for health insurance on healthcare.gov, and the site crashed.
In an October 2013 email exchange requesting help with an upcoming test, healthcare.gov IT security Chief Tom Schankweiler complained of a lack of a "grand strategy" in security testing the Obamacare website. Schankweiler complained about hackers hitting the site, and noted that confidential information was "growing legs and growing way beyond the normal borders." Fryer agreed with Schankweiler, and also noted "conflict of interest issues" in the security testing.
In November senior CMS official Jon Booth discusses "a contingency system" for higher Obamacare enrollments that CMS Office of Administration wanted "kept under the radar" and "out of the spotlight, even from an internal perspective." George Linares responds to Booth, noting that healthcare.gov was still operating without an "Authorization to Operate," and that the "contingency system" meant they needed a plan to "close the security gap as well."
Among the released documents is a November draft press background briefer, in which CMS officials crossed out a line that read that consumers could "trust that the information that they are providing is protected by stringent security standards" and a line that the ACA website was "compliant with the Federal Information Security Management Act."