HHS’ HealthCare.gov “Covert Ops Mission”

New Report Pulls Back the Curtain on Secret Efforts in the Botched HealthCare.gov Rollout

House Oversight and Government Reform Committee Chairman Darrell Issa today released a new report, “Behind the Curtain of the HealthCare.gov Rollout” offering a detailed and document based account on agency infighting and secrecy efforts that plagued the botched October 2013 launch of HealthCare.gov.  The report’s release comes one day before Centers for Medicare and Medicaid Services (CMS) Administrator Marilyn Tavenner and the Government Accountability Office (GAO) are scheduled to testify about ongoing security vulnerabilities to personal information of Americans through the HealthCare.gov website and agency efforts to “cover up” security vulnerabilities.

Key findings in the report:

·         Department of Health and Human Services (HHS) officials contemplated a “covert ops mission” to circumvent incompetent CMS officials: “I grow weary of the bullshit passive/aggressiveness of [CMS official] Henry [Chao], or rather his lack of engagement to the point that we can only speculate that it is passive/aggressiveness. … The other way to do this is through a complete covert ops mission to unseat the CMS FFE rules engine.”

·         When HHS employee Julie Herron transferred to CMS before the website’s launch, she funneled information about security testing to HHS’s Bryan Sivak, who told Ms. Herron “I don’t want to tell anyone that we talk anymore.”  Mr. Sivak used Ms. Herron’s information about system readiness results to recommend that HHS “declare victory without fully launching [the website].”

·         CMS official Teresa Fryer acknowledged that that other CMS officials did not properly convey the true state of security testing leading up to the launch:  “Kevin Charest [HHS CISO] has asked for an update of the FFM testing by noon tomorrow and I’m going to give him a truthful update of exactly what is going on. I am tired of the cover ups.”

·         When CMS officials were unhappy with the negative results of MITRE’s independent security assessment, CMS’s Thomas Schankweiler sought to have it changed: “We need to hit the pause button on this report and have an internal meeting about it later next week.  It is important to look at this within the context of the decision memos and ATO memo that is going up for Tony [Trenkle, CMS Chief Information Officer] and Michelle [Snyder, CMS Chief Operating Officer] to sign. … It is very possible that this report will be reviewed at some point by OIG, and could see the light of day in other ways.”

·         CMS reduced internal access to user account metrics when the media reported accurate figures, suspecting a leak within CMS.  CMS’s Marianne Bowen wrote, “[s]ome of the metrics that are being reported are showing up in newspapers and they’re close enough to reality to know someone with knowledge of the metrics is talking.”

·         In response to draft talking points that explained the problems occurring at ObamaCare Call Centers, CMS’s Julie Bataille wrote, “We NEVER want to say most of this publicly. We need consumers to call us and not worry about these details.”

·         In violation of federal record-keeping rules, Administrator Tavenner deleted her emails, and instructed subordinates to do so as well.  In an email, dated October 5, 2013, Ms. Tavenner forwarded a complaint from Jeanne Lambrew, a key White House advisor, about call center workers giving callers incorrect information: “Please delete this email –but please see if we can work on call script [redacted].”

·         CMS removed Healthcare.gov code from open source project, Github, for public relations reasons because developers were publicly criticizing the code: “[t]his Github project has turned into a place for programmers to bash our system, submit service requests (!) and now people have started copying Marketplace source code that they can see and making edits to that (!!). …  I am sure there may be some blowback from this decision but I think it is better to take a short term hit with this deletion than to let this bashing of the source code continue on our official Github site on an ongoing basis.”

“Even today, the non-partisan Government Accountability Office informs Congress that CMS refuses to provide reports on 13 Healthcare.gov ‘security incidents’ for its audit of efforts taken by CMS to ensure the site’s security.  What vulnerabilities to sensitive personal information is CMS still so intent on hiding from an independent government auditor?,” said Chairman Darrell Issa.  “The new report offers Americans insight into how this Administration secretly responded to known security vulnerabilities while plotting to keep the truth from the American people.”

Click here for the new report “Behind the Curtain of the HealthCare.gov Rollout”

Information on tomorrow’s hearing:

“Examining ObamaCare’s Failures in Security, Accountability, and Transparency”

Full Committee, Chairman Darrell Issa (R-CA)

11:00 a.m. in Rayburn 2154

This hearing will  examine the failures in security, transparency and accountability during the launch of the federal exchange and the ongoing implementation of ObamaCare. On September 4, 2014, the Department of Health and Human Services publicly disclosed that Healthcare.gov had been the target of a successful malicious attack by a hacker.  Last night, GAO released its own new report on ongoing security vulnerabilities for HealthCare.gov.

Witnesses

The Honorable Marilyn Tavenner, Administrator, Centers for Medicare & Medicaid Services, Department of Health and Human Services

Mr. Greg Wilshusen, Director, Information Security Issues, Government Accountability Office (GAO)

Ms. Ann Barron-DiCamillo, Director, U.S. Computer Emergency Readiness Team (US-CERT), Department of Homeland Security