Issa Statement on Passage of Health Exchange Security and Transparency Act

Published: Jan 10, 2014

WASHINGTON – Today, House Oversight and Government Reform Committee Chairman Darrell Issa, R-Calif., voted to pass H.R. 3811, the Health Exchange Security and Transparency Act of 2014, which will require the Administration to notify consumers when their personal information has been compromised on


“The truth is that actual interviews and depositions taken of the highest ranking people that helped develop the website, both public and private, show there was no end-to-end testing [on]. It did not meet the spirit of any definition of a secure website,” Issa said.

“The fact is what we need is a law that makes it clear that [the Administration] should do the right thing, not say they will do the right thing and they have always done the right thing, because in the case of, they launched a site that was neither functionally ready, nor had it been security tested and it had known failures that were not mitigated prior to the launch.”

H.R. 3811, the Health Exchange Security and Transparency Act passed today on a vote of 291-122.


  • CMS top security official, Teresa Fryer, testified to Committee staff that she recommended denying the authority to launch but other officials decided to go ahead anyway.  Fryer cited incomplete testing and unknown risks, which she believed constituted a high security risk to the system as the basis of her recommendation and warning.
  • An October 11, 2013, report by CMS security contractor MITRE outlined numerous risks. These documents, obtained by the Oversight Committee, contain sensitive technical details and have not been released, but they include disturbing information:
    • “Any malicious user having knowledge of this can perform unauthorized functions.”
    •  “MITRE was unable to adequately test the Confidentiality and Integrity of the HIX [Health Exchange] system is full.  The majority of MITRE’s testing efforts were focused on testing the expected functionality of the application.  Complete end to end testing of the HIX application never occurred.  Several factors contributed to the limited effectiveness of this SCA.
  • HHS knows security failures are actually happening.  On December 17, 2013, Fryer testified that recent security testing has uncovered multiple significant security problems.  In one instance, a problem actually resulted in an incident that wrongfully disclosed a site user’s personal information to an unauthorized party.  While Administration officials have tried to downplay the significance of these security failures, they have provided no evidence that these problems have been fixed.