Judicial Watch: HHS Documents Reveal Known Pre-Launch Security Flaws in Healthcare.gov
Contact: Jill Farrell, Judicial Watch, 202-646-5172
WASHINGTON, July 28, 2017 /Standard Newswire/ -- Judicial Watch today released two productions of documents 1123 pages of Department of Health and Human Services (HHS) records showing security officials' concerns about the Obamacare website prior to its launch.
Judicial Watch obtained the HHS documents in response to a court order in a Freedom of Information Act (FOIA) lawsuit (Judicial Watch v. U.S. Department of Health and Human Services (No. 1:14-cv-00430)). The lawsuit was filed in March 2014 after HHS failed to respond to a December 20, 2013, FOIA request seeking:
- All records related to the security of the healthcare.gov web portal including, but not limited to, studies, memoranda, correspondence, electronic communications (e-mails), and slide presentations from January 1, 2012 to the present.
The documents show a flippant disregard for Senior IT Security Official Tom Schankweiler's security concerns in a September 23, 2013, email exchange, one week before the launch of Obamacare, Fryer and CMS official Jacqueline Toomey. Toomey tells Fryer: "Breathe ... don't allow him to suck you in." Toomey responds later in the exchange: "I'm afraid of who he's 'blind copying' on his emails." Fryer says: "When [Consumer Information and Insurance Systems Group] gets theirs, can you make a gagging sound for me?" Toomey responds: "Giggling."
In a September 28, 2013, review, Chief Information Security Officer (CISO) Jane Kim notes that the risk associated with the Illinois Integrated Eligibility System ATC [Authorization to Connect] is "high," noting that "87 security controls [were] not documented or incomplete." Risk associated with Minnesota's application to connect was also deemed "high," with 110 incomplete or undocumented security controls. Pennsylvania's risk was also deemed "high," with 10 high level security findings. Hawaii was also considered a "high" risk, with 23 "high-impact" security findings.
A security spreadsheet in a September 19, 2013, email exchange shows a "high" level defect in the Obamacare website was discovered. That finding prompted top IT security officials to schedule an emergency conference call in which Senior IT Security Official Tom Schankweiler tries to persuade then-CMS Chief Information Officer Teresa Fryer to issue a "short term ATO [Authorization of Operate]"
In the CMS "Pre-Flight Checklist" published on September 20, 2013, is a chart that indicates that the "Hub," designed to help with verifying applicant information used to determine eligibility for enrollment, was unable to perform its tasks. Regarding verification of citizenship is the comment: "Hub has been too irregular to work thorough this, and still don't have the right data to test to the 5 year bar." Regarding verification of SSN is the comment: "Hub has reliability issues ..." The Pre-flight Checklist also notes nine "high" security risks, 123 "moderate" security risks, 68 "low" and 17 "common" risks in various components of the Obamacare system.
On October 1, 2013, Americans started shopping for health insurance on healthcare.gov, and the site crashed.