Capitol Hill conservatives are scrambling to find out more about an undisclosed security data breach of private healthcare.gov information that took place in late spring.
The breach involved an inadvertent transfer of personal data from computers controlled by the Center for Medicare and Medicaid Services to servers at Optum/QSSI, the lead contractor building the infrastructure for the healthcare.gov infrastructure.
Andrew Slavitt was the leader of UnitedHealth¬†Optum/QSSI, the legacy of his original firm Ingenix, which he sold to UnitedHealth, at the time of the breach, so it is interesting that Slavitt is now the principal deputy administrator at CMS‚??and the man tasked by President Barack Obama to fix the healthcare.gov debacle.
Officials at Health and Human Services, the parent agency of CMS, the office inside the department with overall supervision of the federal healthcare exchanges, state-based marketplaces and enrollment, as well as, the Federal Data Services data hub, changed procedures for handling personal information, but did not report the incident to Congress because in their thinking it was not a external attack or break-in.
Word of the security breach in the late spring is bubbling up just as Congress is reacting news of a successful hacker attack in July, disclose just after Labor Day.
The hacker installed malicious software inside the system and the breach went undetected for two months.
Critics of the administration‚??s casual approach to cybersecurity got a shot in the arm from a Sept. 16 Government Accountability Office report, ‚??Action Needed to Address Weaknesses in Information Security and Privacy Controls,‚?Ě that details severe vulnerabilities in the implementation of the Patient Protection and Affordable Care Act and vindicates the line of questioning from Rep. Michael J. Rogers (R.-Mich.) regarding healthcare.gov cybersecurity one year ago.
The report serves as a reminder that one of the principle architects of the infrastructure, Slavitt, is now CMS‚??s principle deputy administrator.
In particular, the GAO focused on the Centers for Medicare & Medicaid Services.
‚??Healthcare.gov had weaknesses when it was first deployed, including incomplete security plans and privacy documentation, incomplete security tests, and the lack of an alternate processing site to avoid major service disruptions,‚?Ě according to the report.
‚??CMS had not: always required or enforced strong password controls, adequately restricted access to the Internet, consistently implemented software patches, and properly configured an administrative network,‚?Ě the report said. ‚??An important reason that all of these weaknesses occurred and some remain is that CMS did not and has not yet ensured a shared understanding of how security was implemented for the Federally-Facilitated Marketplaces among all entities involved in its development.‚?Ě
GAO report warns that unless these lapses are addressed, the system remains vulnerable to unauthorized access, disclosure of confidential information and tampering and or manipulation of data.
In the earliest days of the debate over President Barack Obama‚??s healthcare reform scheme, the congressman warned it would not work. Rogers compared punished the 85 percent of the country with health insurance, while trying to help the 15 percent without insurance, to using a queen-sized sheet on a king-sized mattress. ‚??I guarantee you, those corners are going to come up.‚?Ě
Rogers, the chairman of the House Permanent Select Committee on Intelligence, always said that the Patient Protection and Affordable Care Act was contrary to America‚??s founding principles and the spirit of its people. But, given his status of an Army and FBI veteran it was natural that he would focus on the security threats to the government‚??s healthcare computer infrastructure.
As the disastrous deployment of the new healthcare regime was coming to light, Rogers, as a member of the House Energy and Commerce Committee, questioned Slavitt at an Oct. 24, 2013 hearing on the security of the healthcare computer system, remember, he was still leading Optum/QSSI, the lead computer systems contractor for CMS.
Rogers asked Slavitt, whose firm designed the access and enrollment pages and processes for healthcare.gov, what steps his firm took with particular attention to entry points, where a system is the most vulneralble.
Slavitt told Rogers that he was not concerned because the website was designed to pass information along, not store it.
‚??When you say you don‚??t hold information that is a very low standard in order to protect information,‚?Ě Rogers said to Slavitt.
“I don’t have to be where it’s held to
‚??I don‚??t have to be where it‚??s held to obtain it‚??are you aware of that?‚?Ě he asked.
‚??Correct,‚?Ě said Slavitt.
Of course, Rogers was too correct.
But, what has changed is that Slavitt is now in charge of healthcare.gov, the monster he designed and sold the government.