News Faced Security Risks, Feds Were Told

As HHS secretary Sebelius testified to Congress about the flawed rollout, a memo surfaced that predicted security risks due to inadequate testing.

Officials for the Centers for Medicare and Medicaid (CMS) were alerted four days prior to the launch of that a lack of testing posed security risks for the healthcare insurance website, according to an internal government memo obtained by the Associated Press.

The AP report released Wednesday surfaced just as Department of Health and Human Services (HHS) secretary Kathleen Sebelius testified on Capitol Hill about the fiasco. While Sebelius admitted there should have been more testing, she said security was never an issue.

"Clearly the testing should have been longer and should have been more sufficient," Sebelius said to the House Energy and Commerce committee. "Contractors said, 'we would've loved more testing time, but we're ready to go ahead.'"

The internal HHS memo was sent to CMS chief Marylin Tavenner on Sept. 27 and warned that insufficient testing "exposed a level of uncertainty that can be deemed as a high risk." The sender of the memo was not identified.

The memo said contractors weren't able to test all the security controls before the launch, and recommended setting up a security team to address risks and conduct daily tests, with a full security test to follow within two to three months.

[ There's a lot of blame-shifting going on. See Tech Contractors Reject Blame For Mess. ]

Sebelius said she was not advised to delay the Oct. 1 launch date, even though contractors couldn't perform end-to-end testing until mid-September, after the products and insurance policies were loaded into the system.

The House Oversight and Government Reform committee released other documents Tuesday night, including a monthly status report from CGI Federal, one of the primary contractors for, issued Sept. 6. The report identified a number of open issues that represented potential risks and warned that the time needed to fully test the site "was not adequate" to ensure the site would function completely, according to a Washington Poststory.

Wednesday's hearing was a political showdown at its worst, with Republicans making a fool of Sebelius to prove a point, and Democrats mostly lauding a flawed system.

In her first appearance before lawmakers to publicly explain's failed launch, Sebelius apologized to the American people.

"I am as frustrated and angry as anyone with the flawed launch of," she said. "You deserve better. I apologize. I'm accountable to you for fixing these problems, and I'm committed to earning your confidence back by fixing the site."

Sebelius said CMS and the contractors are working to fix the site by the end of November.

The site's glitches have frustrated more than just millions of consumers; insurance companies aren't too thrilled, either. Because of the problems, "There is no reliable data around enrollment," Sebelius said.

"The system isn't functioning, so we're not getting that reliable data," she said. "We have prioritized that specific fix. Believe me, insurance companies want to get reliable data."

The data insurance companies are looking for are the 834 files that contain enrollment datalike social security numbers, number of dependents and the type of plan customers selected. Without those files, even if a customer successfully registers on, they might encounter major problems when they try to use their insurance after Jan. 1, when the plans go into effect.

"Clearly, looking back, it would've been ideal to do it differently," Sebelius said. "We should have anticipated better, we should have planned better, we should have tested better."

Editor's Choice
Brian T. Horowitz, Contributing Reporter
Samuel Greengard, Contributing Reporter
Nathan Eddy, Freelance Writer
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Cynthia Harvey, Freelance Journalist, InformationWeek
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing