security-265130_1280

 The federal Obamacare website launched in 2013 without authorization to operate and against the judgment of security agency officials.  This left millions of Americans that enrolled on Heathcare.gov vulnerable to possible fraudulent activity – risks that continue to this day for the more than 6.5 million federal enrollees. Although the Obama administration knew about the security risks, the site was launched anyway. 

To determine the safety of Healthcare.gov, Judicial Watch filed a lawsuit, in accordance with the Freedom of Information Act (FOIA), against the Department of Health and Human Services to obtain all records related to security. This came after HHS officials failed to comply with requests in 2013 for these documents. 

The FOIA request found countless problems in the initial months of exchange which verify the administration’s knowledge of risks:

September 21, 2013– The Center for Medicare and Medicaid (CMS) Information Security officer, Tom Schankweiler, expressed concern to the Healthcare.gov project manager Henry Choa stating there was 17 initial “moderate” security issues and two “high” security issues within the Obamacare website. These concerns included issues with contractors, staff shortages, and software malfunctions. This resulted in CMS Security Officer, Teresa Fryer, denying Healthcare.gov the authorization to operate.

September 30, 2013– Just one day before the site’s launch, a private contractor testing the security of Healthcare.gov found that the site did not have the proper ability to handle “specially crafted messages – warning that this would likely cause the site to crash and furthered the lack of security.

October 1, 2013– Healthcare.gov launched even though it was not authorized to operate by government IT security officers. As a result, the website crashed on day one as millions of Americans tried in vain to sign up for healthcare.

November 6, 2013– The chief of technology officer of CMS was reminded that Healthcare.gov was in service without the authorization to operate – This posed a serious issue that “represents a high risk to the agency”.

November 6, 2013– An email correspondence between a CMS security testing officer and a federal programmer for the site, there detailed a warning: “it is possible for anyone to run a brute force attack against Healthcare.gov to obtain the results of their eligibility.” This meant that personal information of enrollees such as household income, social security numbers, wage and tax statements, home and mailing addresses, was at risk.

In the months following, the Obama Administration contracted various groups in an attempt to remedy the quality assurance issues of Healthcare.gov. Despite spending a further $2.14 billion in taxpayer dollars, they failed to fix some of the most serious security concerns. 

Two years later, and after persistent and detailed warnings were directed to administration officials, Healthcare.gov was hacked by an outside source.

This latest news comes after multiple alarms were raised regarding the site’s safety measures including the ability of Healthcare.gov to safeguard personal documents and legitimacy of citizenship. Today, the site continues its service without “authorization to operate” from agency information security. Anyone currently enrolled on the Obamacare website may be subject to these risks.