Docs show security concerns for ObamaCare website

The federal ObamaCare website was launched in 2013 despite federal officials’ security concerns, according to documents recently acquired by Judicial Watch.

On Sept. 21, 2013, 10 days before the site went live, two high-ranking Centers for Medicare and Medicaid Services officials discussed 17 “moderate” security issues and two “high” security issues, according to Department of Health and Human Services documents acquired by the watchdog group.

The 1,000 pages of documents reveal that two CMS officials -- information security officer Tom Schankweiler and deputy chief information officer Henry Chao -- resolved both of the high-security issues but apparently left 14 of the moderate ones unresolved.

Emails also show that a separate security check found 17 “high” security issues, prompting Chao to ask, “What are we actually signing off on?”

Schankweiler responded that the numerous security issues resulted in CMS security officer Teresa Fryer refusing to authorize the website,, to operate, according to the documents, which were acquired through a court-ordered response to a Freedom of Information Act request.

And roughly six weeks after the launch, George Linares, the acting chief technology officer of CMS, told colleagues that the site was still running without an “ATO,” or Authorization to Operate, the documents show.

“Operating without an ATO is a serious issue and it represents a high risk to the agency,” he wrote.

“No wonder it took a federal court order to force out these new ObamaCare scandal documents,” said Judicial Watch President Tom Fitton.  “The Obama administration is prosecuting private companies for the same security lapses it knowingly allowed with its own”

Agency leaders said Wednesday that they in fact issued an authorization on September 27, 2013, to operate the site "in line with federal and industry standards."

The agency also said the authorization was limited to six months and conditional, including regular testing.

In addition, the agency established a dedicated security team and conducted weekly testing and security scans, the leaders also said.

The website was built to accommodate Americans shopping for health insurance through the Affordable Care Act. However, the site launched amid glitches and other technical difficulties that resulted in it responding slowly and at times crashing.

The 1,000 pages of documents included emails, studies, memoranda and slide presentations from January 1, 2012 to the present.

The documents also show that on the day before the website launch, Blue Canopy, a contractor that was testing the security, reported that a problem related to receiving messages “would cause the service to crash.”