- Security control assessment "was only partly completed," it says
- Memo was written just days before the start of open enrollment for Obamacare
- Agency would create a security team to monitor the risk, conduct weekly scans, it says
- Lawmakers say the system should have been more thoroughly vetted
An internal government memo written just days before the start of open enrollment for Obamacare warned of a "high" security risk because of a lack of testing of the HealthCare.gov website.
"Due to system readiness issues, the SCA (security control assessment) was only partly completed," said the internal memo from the Center for Medicare and Medicaid Services. "This constitutes a risk that must be accepted and mitigated to support the Marketplace Day 1 operations."
The memo, which was provided in response to a request from the House Oversight Committee, goes on to explain that CMS would create a "dedicated security team" to monitor the risk, conduct weekly scans and within 60 to 90 days after the website went live, "conduct a full-scale SCA test."
The memo did not detail the security concerns. It was written by IT officials at CMS, and was sent to and signed by the agency's director, Marilyn Tavenner, who testified on Capitol Hill on Tuesday that she thought the website was ready to go when it began its crash-riddled rollout on October 1.
"We had tested the website and we were comfortable with its performance," Tavenner told lawmakers, although she added the caveat, "we knew all along there would be, as with any new website, some individual glitches we would have to work out."
Republican lawmakers referred to the document Wednesday as they raised concerns at a House Energy and Commerce Committee grilling of Health and Human Services Secretary Kathleen Sebelius, Tavenner's boss.
Sebelius also testified that she thought the website, which has been prone to crashing, was ready to be rolled out on October 1.
She compared the early rollout to a sort of early beta test and said the system was secure because data is stored in the same systems used by the Internal Revenue Service and Department of Homeland Security.
But lawmakers said the system should have been more thoroughly vetted, since it asks purchasers of health insurance to provide personal information.
"You accepted a risk on behalf of every person that used this computer that put their personal and financial information at risk because you did not even have the most basic 'end-to-end' test on security of this system," Rep. Mike Rogers, R-Michigan, told Sebelius. "Amazon would never do this. ProFlowers would never do this. Kayak would never do this," he said.
CNNMoney had earlier in the week profiled an Arizona software tester who said the system was vulnerable and could be hacked. He was able to reset users' passwords without much difficulty. But the Department of Health and Human Services told CNN that particular issue had been addressed.