Judicial Watch obtained the HHS documents in response to a court order in a Freedom of Information Act (FOIA) lawsuit (Judicial Watch v. U.S. Department of Health and Human Services (No. 1:14-cv-00430)). The lawsuit was filed in March 2014 after HHS failed to respond to a December 20, 2013, FOIA request seeking:
- All records related to the security of the healthcare.gov web portal including, but not limited to, studies, memoranda, correspondence, electronic communications (e-mails), and slide presentations from January 1, 2012 to the present.
The documents show a flippant disregard for Senior IT Security Official Tom Schankweiler’s security concerns in a September 23, 2013, email exchange, one week before the launch of Obamacare, Fryer and CMS official Jacqueline Toomey. Toomey tells Fryer: “Breathe … don’t allow him to suck you in.” Toomey responds later in the exchange: “I’m afraid of who he’s ‘blind copying’ on his emails.” Fryer says: “When [Consumer Information and Insurance Systems Group] gets theirs, can you make a gagging sound for me?” Toomey responds: “Giggling.”
In a September 28, 2013, review, Chief Information Security Officer (CISO) Jane Kim notes that “the risk associated with the Illinois Integrated Eligibility System ATC [Authorization to Connect] as “high,” noting that “87 security controls [were] not documented or incomplete.” Risk associated with Minnesota’s application to connect was also deemed “high,” with 110 incomplete or undocumented security controls. Pennsylvania’s risk was also deemed “high,” with 10 high level security findings. Hawaii was also considered a “high” risk, with 23 “high-impact” security findings.
A security spreadsheet in a September 19, 2013, email exchange shows a “high” level defect in the Obamacare website was discovered. That finding prompted top IT security officials to schedule an emergency conference call in which Senior IT Security Official Tom Schankweiler tries to persuade then-CMS Chief Information Officer Teresa Fryer to issue a “short term ATO [Authorization of Operate]”
In the CMS “Pre-Flight Checklist” published on September 20, 2013, is a chart that indicates that the “Hub,” designed to help with verifying applicant information used to determine eligibility for enrollment, was unable to perform its tasks. Regarding verification of citizenship is the comment: “Hub has been too irregular to work thorough this, and still don’t have the right data to test to the 5 year bar.” Regarding verification of SSN is the comment: “Hub has reliability issues …” The Pre-flight Checklist also notes nine “high” security risks, 123 “moderate” security risks, 68 “low” and 17 “common” risks in various components of the Obamacare system.
“The Trump administration should do an immediate security audit of the Obamacare official website,” said Judicial Watch President Tom Fitton. “In the meantime, Americans should be warned that their private health data is at risk on the Obamacare website.”
In September 2014, Judicial Watch released 94 pages of documents obtained from the U.S. Department of Health and Human Services (HHS) including Security Controls Assessment Test Plans sent by CMS to Mitre Corporation. CMS advised Mitre that the highest “Risk Rating” should be given to flaws that could cause “political” damage to CMS. Moderate and low “Risk Ratings” were to include those resulting in potential “public embarrassment” to the agency.
In March 2015, Judicial Watch released documents from the U.S. Department of Health and Human Services (HHS) revealing that Department of Homeland Security (DHS) worked with HHS on security for healthcare.gov.
In January 2016, Judicial Watch released documents showing federal health care officials’ concerns with the Obamacare website in two productions of records: a 143-page production and an 886-page production. The emails showed that CMS Security Officer Teresa Fryer’s refused to approve the “ATO” (Authorization to Operate).
Recently, Judicial Watch released 944 pages of Department of Health and Human Services records showing that the Obamacare website was launched despite serious concerns by its security testing contractor, Mitre Corporation, as well as internal executive-level apprehension about security.