Issa Challenges Sebelius on False, Misleading Statements on HealthCare.gov Security

January 8, 2014

WASHINGTON – Today, in a letter sent to Health and Human Services Secretary Kathleen Sebelius, House Oversight and Government Reform Committee Chairman Darrell Issa, R-Calif., pressed for explanations and revisions on false and misleading statements the secretary made before Congress about the security risks present on HealthCare.gov. Issa also requested documents and communications made in preparation for Sebelius’s congressional appearances after October 1, 2013.

“Providing false or misleading testimony to Congress is a serious matter,” Issa writes. “Documents and testimony obtained by the Committee, including information provided by Teresa Fryer, the Chief Information Security Officer at the Centers for Medicare and Medicaid Services (CMS), and the MITRE Corporation, a contractor hired by HHS to conduct security assessments of healthcare.gov, show that your testimony was false and misleading.”

The letter cites four examples of false statements Sebelius made before Congress: 1) that MITRE was conducting ongoing security testing; 2) that MITRE’s preliminary report “did not raise flags about going ahead;” 3) that “no one… suggested that the risks outweighed the importance of moving forward;” 4) that MITRE made recommendations to CMS about moving forward.

“Although the four examples of misinformation and falsehoods from your Congressional testimony late last year are extremely troubling,” Issa writes, “your failure during numerous Congressional hearings to explicitly mention the serious problems with security testing in the month prior to launch creates the appearance that you carefully chose language that would mislead Members of Congress and the American public.”

On October 30, 2013, Sebelius told the House Energy and Commerce Committee that MITRE was performing security testing on an ongoing basis and that the contractor’s preliminary report “did not raise flags about going ahead[.]”

In fact, the letter points out, “MITRE and Blue Canopy, the contractors utilized by CMS to conduct security testing of HealthCare.gov and its related components, did not conduct ongoing security testing of the system.  According to Ms. Fryer’s testimony, MITRE’s final round of security testing on the federal exchange prior to the October 1, 2013, launch ended on September 20, 2013.”

Moreover, MITRE’s preliminary report raised many specific problems that concerned Teresa Fryer, CMS’s top cybersecurity expert. The letter states, “In preparation for a September 23, 2013, security briefing, Ms. Fryer prepared a PowerPoint slide that listed two high risks with opening the Exchange on October 1, 2013.  The two ‘unknown’ risks identified by Ms. Fryer, which confronted individuals who entered their information into HealthCare.gov beginning on October 1, 2013 were:

  • “Unknown risk of applications to withstand attacks aimed at system availability.
  • “Unknown risks associated with those controls and those functionalities that were not tested.”

Fryer told Committee staff in a December 17, 2013 transcribed interview, “From a security perspective, for a security risk only, in my opinion, yes, it was a high risk because of the level of uncertainty discovered during the testing.”

Sebelius told the Senate Finance Committee on November 6, 2013 that “no one… suggested that the risks outweighed the importance of moving forward including our independent evaluator, MITRE, who made recommendations to CMS, as is required.” On the contrary, Fryer was so concerned about MITRE’s findings that she repeatedly recommended to Tony Trenkle, CMS’s Chief Information Officer, that the website launch be delayed. In a memorandum drafted by Fryer, she said the Exchange “does not reasonably meet the CMS security requirements…  There is also no confidence that Personal Identifiable Information (PII) will be protected.”

Finally, Sebelius falsely stated that MITRE, the chief security contractor, “made recommendations to CMS, as is required,” when in fact MITRE has told the Committee they were “not informed, nor asked, by CMS about a ‘go-ahead for HealthCare.gov.”

“Witnesses who purposely give false or misleading testimony during a congressional hearing may be subject to criminal liability under Section 1001 of Title of 18 of the U.S. Code, which prohibits ‘knowingly and willfully’ making materially false statements to Congress,” the letter concludes. “With that in mind, I write to request that you correct the record and to implore you to be truthful with the American public about matters related to ObamaCare going forward. In addition, in order to determine the full extent of other officials’ roles in developing your recent Congressional testimony, I request you provide copies of all documents and communications, including meeting notes, prepared for your three appearances before Congress after October 1, 2013.”

You can read the complete letter to Secretary Sebelius here.

 

Related Documents