Oregon Health Insurance Exchange Failure: Blame Runs Deep
Postmortem report confirms diagnosis of weak project oversight, unrealistic goals, and poor performance by Oracle.
Excessive optimism, weak oversight, and poor performance by Oracle consultants all contributed to the failure of the Cover Oregon health insurance exchange (HIX) to deliver a functioning consumer website, according to a report commissioned by Oregon Governor John Kitzhaber, which he released at a news conference Thursday.
"I am angry and I am disappointed by the rollout of Cover Oregon and the ongoing technical problems that have created delays, uncertainty, and frustration among Oregonians who need and deserve healthcare," Kitzhaber said.
The state released the full, unredacted report, meaning that it names names, pointing to Rocky King, Bruce Goldberg, and Carolyn Lawson as the key decision makers on the project. During the news conference, Kitzhaber announced that Goldberg will resign as director of the Oregon Health Authority, staying only until a replacement is found. His resignation follows those of King and Lawson, who previously served, respectively, as director of Cover Oregon and CIO of the Oregon Health Authority.
The report, authored by First Data Government Solutions, echoes the findings of other investigations, including a report commissioned by the Centers for Medicare and Medicaid Services (CMS), that found substantial fault with both the primary contractor on the project, Oracle, and with the state project managers and executives overseeing the work.
Kitzhaber called the report "a very credible and sobering critique" of a complete breakdown in project management and administrative oversight. Even though the state employed a quality-assurance contractor, Maximus, which early on sounded alarms about inadequate processes and controls, the project's personnel over time "became desensitized to quality assurance reports showing the project was not on track," he said.
Maximus rated the Cover Oregon project high risk, from the beginning, in multiple categories.
Kitzhaber also pointed to "very serious questions of the quality of work of our primary website developer, Oracle," particularly its inability to accurately estimate its progress toward project goals or keep its commitments to a schedule.
One of the project's fatal flaws was unrealistic optimism, Kitzhaber said. He acknowledged seeing project reports with multiple elements flagged in red, indicating high risk, on progress charts, but accepted assurances that those risks would come down as the deadline neared. Asked about his own responsibility for executive oversight of the project, he said, "The buck stops here, and I assume responsibility for that," but also noted that, "as it turns out, neither me or most of the legislature builds websites, so we have to rely on other people to give us information."
One thing Kitzhaber said he wishes he had done differently was look at how those QA reports tracked over time, rather than looking at them in isolation. "It's very clear, if you look back, that some problems Cover Oregon said had been addressed... appeared again in subsequent Maximus reports."
First Data reported a common theme in interviews with project staff "was that both Rocky King and Carolyn Lawson were perceived as supremely confident. The interviews also confirmed that the overly optimistic schedule/scope projections were based on continued trust in Oracle and the HIX-IT leadership (Rocky King, Carolyn Lawson, and Bruce Goldberg), despite repeatedly missed deadlines." Only very late in the process, in August and September, did any of these leaders acknowledge that the initial
David F. Carr oversees InformationWeek's coverage of government and healthcare IT. He previously led coverage of social business and education technologies and continues to contribute in those areas. He is the editor of Social Collaboration for Dummies (Wiley, Oct. 2013) and ... View Full Bio
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
IT Strategies to Conquer the CloudChances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.