Memo warned of "limitless" security risks for HealthCare.gov
(CBS News) WASHINGTON -- CBS News has learned that the project manager in charge of building the federal health care website was apparently kept in the dark about serious failures in the website's security. Those failures could lead to identity theft among buying insurance. The project manager testified to congressional investigators behind closed doors, but CBS News has obtained the first look at a partial transcript of his testimony.
Henry Chao, HealthCare.gov's chief project manager at the Centers for Medicare and Medicaid Services (CMS), gave nine hours of closed-door testimony to the House Oversight Committee in advance of this week's hearing. In excerpts CBS News has obtained, Chao was asked about a memo that outlined important security risks discovered in the insurance system.
Chao said he was unaware of a Sept. 3 government memo written by another senior official at CMS. It found two high-risk issues, which are redacted for security reasons. The memo said "the threat and risk potential (to the system) is limitless." The memo shows CMS gave deadlines of mid-2014 and early 2015 to address them.
But Chao testified he'd been told the opposite.
Calif. programmers' website solves HealthCare.gov problems
Obamacare rollout: Doctors concerned about patients, care, fees
Obama: I'd fix HealthCare.gov myself, "but I don't write code"
"What I recall is what the team told me, is that there were no high findings," he said.
Chao testified security gaps could lead to identity theft, unauthorized access and misrouted data.
According to federal guidelines, high risk means "the vulnerability could be expected to have a severe or catastrophic adverse affect on organizational operations ... assets or individuals."
Watch: HealthCare.gov never received top-to-bottom security test, below.
It was Chao who recommended it was safe to launch the website Oct. 1. When shown the security risk memo, Chao said, "I just want to say that I haven't seen this before."
A Republican staff lawyer asked, "Do you find it surprising that you haven't seen this before?"
Chao replied, "Yeah ... I mean, wouldn't you be surprised if you were me?" He later added: "It is disturbing. I mean, I don't deny that this is ... a fairly nonstandard way" to proceed.
Late Monday, Health and Human Services told CBS News the privacy and security of consumers' personal information are at op priority, and consumers can trust their information is protected by stringent security standards. The author of the security memo, Tony Trenkle, retired from CMS last week; no reason was given.