Menu

Politics

Health Care

35 ObamaCare state exchange websites were deemed 'high risk' before launch, documents show

obama-concerned-internal.jpg

Feb. 25, 2014: President Obama glances at the crowd as walks off the stage after speaking at the National Organizing Summit in Washington.AP

Security experts worried that 35 state health exchange websites were vulnerable to hackers and were rated as "high risk" for security problems before ObamaCare's launch, documents obtained by Fox News show.

Fears that the health law's websites could put consumers at risk have plagued the program's rollout from the beginning, but the administration told The Associated Press that the documents offer only a partial and "outdated" snapshot of an improving situation.

The security problems cited were either resolved or are being addressed through specific actions. No successful cyberattacks have taken place, officials say.

However, the issues detailed in documents and emails provided by the House Oversight and Government Reform Committee reveal broader concerns than the federal Department of Health and Human Services has previously acknowledged.

They show a frenzied behind-the-scenes juggling act by officials and contractors as the Oct. 1 deadline for new health insurance exchanges loomed.

In order to connect to federal computers, state and other outside systems must undergo a security review and receive an "authority to connect."

With the health care law, states needed approval to connect to a new federal data hub, an electronic back room that pings Social Security, the Internal Revenue Service, Homeland Security to verify personal details about people applying for government-subsidized insurance. The hub handles sensitive information, including income, immigration status and Social Security numbers.

The documents, seen by Fox News, showed a high-stakes decision-making process playing out against a backdrop of tension and uncertainty as the clock ran out. In one email from Sept. 29, a Sunday two days before the launch, Teresa Fryer, chief information security officer for the federal Centers for Medicare and Medicaid Services, wrote of the state security approvals, "The front office is signing them whether or not they are a high risk." Her agency, known as CMS, also administers the health care law.

Two days earlier, in a separate document, CMS administrator Marilyn Tavenner approved nine states to connect although the approval document noted that "CMS views the October 1 connections to the nine states as a risk due to the fact that their documentation may not be submitted completely nor reviewed ... by Oct. 1." Approval was contingent on states submitting proper documentation. The states were Arkansas, Illinois, Iowa, Louisiana, Montana, Nebraska, Pennsylvania, Oklahoma, and South Dakota.

Another email shows a CMS PowerPoint presentation from Sept. 23 revealed huge differences in states' readiness. Some were already approved; others had security weaknesses that were well understood and being tackled. But there were also states where the federal government had little information on security preparations.

"CMS views these connections to states as a high risk due to the unknown nature of their systems," according to the presentation.

CMS officials contemplated whether their agency would have to accept risk on behalf of other federal government entities, including Social Security and the IRS.

In a Feb. 20 letter to the oversight panel's chairman, Rep. Darrell Issa, R-Calif., the administration said many of the high-risk issues identified in the documents had a corrective action plan before states got approval to connect. Twelve states received temporary, 60-day permissions to connect before Oct. 1 because the administration had not completed full reviews.

Security concerns about the program have existed for months. In January, security expert -- and once the world's most-wanted cyber criminal -- Kevin Mitnick submitted a scathing criticism to a House panel of Healthcare.gov, calling the protections built into the site "shameful" and "minimal."

"It's shameful the team that built the Healthcare.gov site implemented minimal, if any, security best practices to mitigate the significant risk of a system compromise," he wrote.

Fox News' Mike Emanuel and The Associated Press contributed to this report.