Skip to main content

Government memo warned of high security risk at health care website

By Joe Johns, CNN
updated 5:33 PM EDT, Wed October 30, 2013
STORY HIGHLIGHTS
  • Security control assessment "was only partly completed," it says
  • Memo was written just days before the start of open enrollment for Obamacare
  • Agency would create a security team to monitor the risk, conduct weekly scans, it says
  • Lawmakers say the system should have been more thoroughly vetted

Washington (CNN) -- An internal government memo written just days before the start of open enrollment for Obamacare warned of a "high" security risk because of a lack of testing of the HealthCare.gov website.

Related: Administration warned about site a month before launch

"Due to system readiness issues, the SCA (security control assessment) was only partly completed," said the internal memo from the Center for Medicare and Medicaid Services. "This constitutes a risk that must be accepted and mitigated to support the Marketplace Day 1 operations."

The memo, which was provided in response to a request from the House Oversight Committee, goes on to explain that CMS would create a "dedicated security team" to monitor the risk, conduct weekly scans and within 60 to 90 days after the website went live, "conduct a full-scale SCA test."

Read the memo

Sebelius: Website 'frustrating'
Obamacare: Can you keep your plan?
Did the Obama admin pressure insurers?

The memo did not detail the security concerns. It was written by IT officials at CMS, and was sent to and signed by the agency's director, Marilyn Tavenner, who testified on Capitol Hill on Tuesday that she thought the website was ready to go when it began its crash-riddled rollout on October 1.

"We had tested the website and we were comfortable with its performance," Tavenner told lawmakers, although she added the caveat, "we knew all along there would be, as with any new website, some individual glitches we would have to work out."

Republican lawmakers referred to the document Wednesday as they raised concerns at a House Energy and Commerce Committee grilling of Health and Human Services Secretary Kathleen Sebelius, Tavenner's boss.

Sebelius also testified that she thought the website, which has been prone to crashing, was ready to be rolled out on October 1.

She compared the early rollout to a sort of early beta test and said the system was secure because data is stored in the same systems used by the Internal Revenue Service and Department of Homeland Security.

Contractors blame government for Obamacare website woes

But lawmakers said the system should have been more thoroughly vetted, since it asks purchasers of health insurance to provide personal information.

"You accepted a risk on behalf of every person that used this computer that put their personal and financial information at risk because you did not even have the most basic 'end-to-end' test on security of this system," Rep. Mike Rogers, R-Michigan, told Sebelius. "Amazon would never do this. ProFlowers would never do this. Kayak would never do this," he said.

CNNMoney had earlier in the week profiled an Arizona software tester who said the system was vulnerable and could be hacked. He was able to reset users' passwords without much difficulty. But the Department of Health and Human Services told CNN that particular issue had been addressed.

ADVERTISEMENT
Part of complete coverage on
updated 1:35 PM EST, Fri November 21, 2014
House Speaker John Boehner said he has sued the Obama Administration in federal court over its decisions to make changes to the President's health care law.
updated 3:00 PM EST, Tue November 11, 2014
Two potential 2016 Republican presidential candidates -- Rep. Paul Ryan and Sen. Marco Rubio -- are teaming up on a proposal to replace Obamacare.
updated 9:24 PM EDT, Sun October 12, 2014
Tthe Department of Health and Human Services has released a report highlighting the impact of the law on hospital costs.
updated 11:05 AM EDT, Wed July 23, 2014
Two U.S. appeals courts issued conflicting rulings on a subject that's important to millions of people: the availability of subsidies to help purchase coverage.
updated 10:06 AM EDT, Wed July 23, 2014
It was a tale of two rulings -- the best of times and the worst of times for Obamacare in the federal appeals courts.
updated 6:00 AM EDT, Wed July 23, 2014
More than half the public says Obamacare has helped, but less than one in five say they've personally benefited from the health care law.
updated 8:01 AM EDT, Fri July 11, 2014
House Republicans are going forward with plans to sue President Barack Obama and will base their legal case on the sweeping health care law he championed and they despise.
updated 6:41 PM EDT, Tue October 29, 2013
Nationally, consumers are learning a number of well-known hospitals won't accept insurance under Obamacare.
updated 1:16 PM EST, Mon December 23, 2013
Open enrollment started October 1. Here's a step-by-step guide to navigating the insurance marketplaces, also known as exchanges.
updated 4:37 AM EDT, Sat October 19, 2013
Obamacare has survived a Supreme Court appeal, a government shutdown and ongoing challenges by opposing politicians.
updated 10:44 AM EDT, Thu September 26, 2013
If you don't know what all those health insurance buzz-words like "co-pay" and "premium" mean, you're not alone.
It's a popular assertion, but is it true? The CNN Politics team hunts down the facts.
Some may offer help navigating the new health insurance marketplace for a fee. Others will warn that you will need a new Medicare card.
updated 12:57 PM EDT, Mon September 30, 2013
Who's in, who's out... and what about the costs? CNN Chief Medical Correspondent Dr. Sanjay Gupta breaks down Obamacare.
Consumers can avoid the exchanges by buying plans directly from insurers or through brokers. But should they?
Here's the first look at insurance premiums on 36 exchanges run by the federal government.
Check out our page with all things you need to know about Obamacare and how it will affect you.
ADVERTISEMENT