As was the case when millions of Americans lost their insurance plans, President Obama’s national healthcare law has once again caused something that its supporters and administration officials swore up and down would never happen. In July, hackers breached the computer system of the federal Healthcare.gov insurance exchange. Officials only discovered the breach in late August.
Although the White House reports that no personal information was compromised in this attack, the system’s vulnerability is evident, and the intelligence of those running it is not. They failed to conduct required security scans on the server in question, and also left it protected by the manufacturer’s default password.
As with the wave of cancellations that came last fall, Obama administration officials went to great lengths to mislead Congress and the public on the security testing that went into HealthCare.gov. Last October, Health and Human Services Secretary Kathleen Sebelius told the House Oversight committee that the MITRE Corporation had conducted security tests and the results “did not raise flags about going ahead.” One week later, she told the Senate Finance Committee, “No one, I would say, suggested that the risks outweighed the importance of moving forward, including our independent evaluator, MITRE…”
As it turned out, both of those statements were false. MITRE had raised several red flags, and a top information technology officer at HHS had warned that the security risks did indeed outweigh the importance of launching the site on time.
MITRE had been unable to test eight of the 17 modules in the system because they were still in development. And government officials had explicitly instructed MITRE not to test for certain vulnerabilities, such as “efforts to interrupt the availability of the system, such as attempting Denial of Service exploits” — precisely what happened in this summer’s security breach.
Having read MITRE’s report from late September 2013, Teresa Fryer, Chief Information Security Officer at CMS (the agency responsible for HealthCare.gov), refused to sign off on the October 1 launch of the website. When higher-ups overrode her decision, she penned a memo warning them that the site “does not reasonably meet the CMS security requirements. … There is also no confidence that Personal Identifiable Information will be protected.”
They launched anyway, and the results are unsurprising. Indeed, not only is it possible that other breaches have gone unnoticed, but this is not even the most glaring known breach to date. Last fall, innocent users of the site were already accidentally stumbling upon other users’ personal information.
Obamacare is already a focal point of the Obama administration’s refusal to be constrained by rules. Obama has repeatedly contravened the text of his own signature law, delaying various implementation deadlines that he himself placed in the federal code.
Here, his administration failed to heed basic government standards for information technology and laws regarding the protection of citizens’ private information. Americans who bought insurance through the federal exchange can now rest assured that their personal information is probably not safe.
