Health and Human Services Secretary Kathleen Sebelius will be on the hot seat again next week when she testifies before the Senate Finance Committee, and top Republicans plan to zero in on the status of ongoing security risks on the Obamacare enrollment website.
Sen. Orrin Hatch, R-Utah, the ranking member of the Finance Committee, plans to press Sebelius on a leaked internal HHS memo warning that those trying to enroll in insurance exchanges would be putting their personal information at risk because the website had not been thoroughly tested.
Before the memo leaked, Hatch and the ten other Republicans on the panel on Tuesday wrote to Sebelius asking whether all federal privacy standards were met prior to the launch of healthcare.gov.
“While we recognize that the website's operational issues are being worked on and will likely be resolved eventually, serious questions remain as to the privacy and security of the very detailed personal information being transmitted . ..and what testing, if any, occurred or is occurring to ensure that information is secure,” they wrote.
The senators asked Sebelius to provide answers and information to a series of questions detailing what safeguards were undertaken prior to the website going live to protect the privacy of Americans signing up for coverage.
When setting up accounts on the healthcare.gov site, applicants provide sensitive personal data, including Social Security numbers, email addresses, phone numbers and birth dates that could be used by criminals for identity theft or other crimes.
Hatch's office said Sebelius has yet to respond to the letter, and HHS did not immediately respond to a Washington Examiner inquiry into the status of the security testing and website vulnerabilities.
During her Wednesday testimony before the House, Sebelius offered assurances that consumers' personal data were safe. She apologized for the website’s technical problems and vowed they would be fixed by the end of November.
Under fierce questioning about the memo and the security risks, Sebelius said she is confident that the new system would securely protect applicants’ personal information. She said there was no breach of security, calling the concern a “theoretical problem” raised by a “skilled hacker.” She said the issue was immediately fixed.
But Republicans said they had proof that the system's security testing remains inadequate.
Rep. Mike Rogers, R-Mich., first raised the issue with Sebelius during the hearing.
He accused Sebelius of launching the system despite security vulnerabilities that put people's “personal and financial information at risk because you did not even have the most basic 'end-to-end' test on security of this system.”
“Amazon would never do this. ProFlowers would never do this. Kayak would never do this,” said Rogers.
An internal HHS memo — just days before the the website was set to launch — warned of a “high risk” of lapse in security because the system was not tested thoroughly enough.
The memo, written by HHS officials James Kerry and Henry Chao, recommended the creation of a dedicated security team, weekly testing of servers, daily scans and a full security assessment within 60 to 90 days of the launch.
CNN has reported that Ben Simo, an Arizona-based security researcher, discovered as late as last week a lapse in security on the site that could allow a determined hacker to take control of a customer's healthcare.gov account.
Simo showed how it was possible to guess a username and have the system confirm it existed. He then said you could trick the system's password-reset mechanism into providing a user's email address. Once the email address was obtained, experienced hackers could then gain access to the account by guessing answers to recovery questions and other sensitive information.
The CNN report said Simo tried to alert HHS but the person he called transferred him to law enforcement. He said that specific security gap wasn't fixed until Oct. 25, a month after the enrollment website launch.