U.S. Congressman Tom Graves (R-GA-14) said on Friday that he voted for the Health Exchange Security and Transparency Act (H.R. 3811), a bill to require the Health and Human Services Department (HHS) to notify individuals if their personal information has been stolen or unlawfully accessed through an Obamacare exchanges on the HealthCare.gov Web site.
H.R. 3811, passed in the U.S. House by a bipartisan vote of 291-122, requires the Department of Health and Human Services to notify individuals, within two business days, of a breach of any security system maintained by a federal or state exchange that is known to have resulted in personally identifiable information being stolen or unlawfully accessed.
Congressman Graves said in a statement to the media, online press, and the Paulding County Republican Examiner through email communications, “The conduct of the Obama Administration, particularly over the past year, gives the public little hope that it will be forthcoming with information about Obamacare’s failures. Whether it’s the broken website or broken promises about keeping your plan or doctor, prying the full truth out of this Administration have proved to be very difficult.”
The House Energy and Commerce Committee raised the Obamacare exchange security concerns by saying that the Department of Health and Human Services did not perform a full "Security Control Assessment" before the website went live on October 1, 2013.
Failure to conduct adequate end-to-end security testing also led officials to write CMS Administrator Tavenner, “From a security perspective, the aspects of the system that were not tested due to the ongoing development, exposed a level of uncertainty that can be deemed as a high risk.”
CMS’s Chief Information Security Officer, Teresa Fryer, stated in a draft memo that the federal exchange “does not reasonably meet the CMS security requirements” and that “there is also no confidence that Personal Identifiable Information (PII) will be protected.”
At one credit bureau, Experian, their experts recently said, “The healthcare industry, by far, will be the most susceptible to publicly disclosed and widely scrutinized data breaches in 2014.”
InformationWeek reported that Vice President of breach resolution service at Experian, Michael Bruemmer said he is basing this prediction at least partly on reports of security risks posted by the HealthCare.gov website and the health insurance exchanges established by various states.
“The web infrastructure to support health insurance reform was ‘put together too quickly and haphazardly’… The organizational infrastructure behind the implementation of Obamacare is also complex, meaning that many parties have access to the personal data and could misuse or mishandle it. So we have volume issues, security issues, multiple data handling points… all generally not good things for protecting protected health information and personal identity information.”
When the public warnings of security issues and breaches news broke, Reuters reported that three cyber security experts recommend shutting Obamacare site.
The experts told Reuters that the site needed to be completely rebuilt to run more efficiently, making it easier to protect. They said HealthCare.gov runs on 500 million lines of code, or 25 times the size of Facebook, one of the world's busiest sites.
"When your code base is that large, it's going to be indefensible," Morgan Wright, CEO of a firm known as Crowd Sourced Investigations told Reuters.
“Given that track record, I strongly support this legislation to force HHS to be open and transparent about Obamacare security breaches, “Congressman Graves said.
“There are still major concerns about the security of the exchanges, with experts warning that millions could be at risk. People in the exchanges have a right to know if their personal information has been stolen.”