ADVERTISEMENT

Congress Presses Obama on Healthcare.gov Security Risks

House committee demanding answers on vulnerability of personal info

healthcare.gov
AP
December 12, 2013

The House Committee on Science, Space, and Technology is demanding answers from President Barack Obama regarding critical security flaws within the Obamacare website Healthcare.gov.

Science Committee Chairman Lamar Smith (R., Texas) and 21 other Republican members sent a letter to the White House on Wednesday, asking Obama "what your administration is doing to address the security risks and privacy concerns surrounding Healthcare.gov."

"Though we appreciate the administration's efforts to address the flaws with the site's capacity, we are concerned that the larger security and privacy issues remain unaddressed," the representatives wrote. "While more people may be able to access the site, without much-needed security enhancements, this simply means that more Americans are vulnerable to online criminals and identity theft."

The letter references a committee hearing held on Nov. 19 where "white hat hacker" David Kennedy and other IT experts testified on the serious security flaws within the Obamacare website.

"According to his testimony," the letter reads, "not only is the website vulnerable, it’s under active attack."

Kennedy told the Washington Free Beacon that the security within the website has only gotten worse since the administration’s so-called "fix" on Nov. 30. "It doesn’t appear that any security fixes were done at all," he said.

The committee said the framework of the site itself, which includes over 500 million lines of code, leaves Americans vulnerable to attack.

"By design, Healthcare.gov interfaces with numerous federal, state, and commercial sites and databases," the letter said. "The data passing through the Healthcare.gov website is one of the largest collections of personal information ever assembled, linking information from seven different federal agencies along with state agencies and government contractors."

The site transmits the personal information of marketplace shoppers—including Social Security numbers, birthdays, incomes, home mortgages, and addresses—through its "data hub."

"Although the website itself does not retain personal data," the letter explains, "it transmits it to other sites."

"Without adequate security measures, Healthcare.gov essentially becomes a portal for online criminals to access even more sensitive, personal data maintained by the IRS, state agencies, and insurance companies that share information with the website," the committee said. "The size and scope of information sharing alone raises significant security concerns."

When asked by Rep. Dana Rohrabacher (R., Calif.) during the hearing last month whether hackers from Russia and China could breach the online marketplace, Kennedy said "absolutely."

"So we are facilitating some of the worst scum in the world, not even in our own country—which we have enough problems with criminals in our own country—but the worst type of elements throughout the world can actually now get at our citizens," Rohrabacher said.

The committee said it appears the administration neglected the security of Healthcare.gov in order to get the site up and running by the administration’s self-imposed start date on Oct. 1.

"Unfortunately, in its haste to launch the Healthcare.gov website, it appears that your administration has cut corners that have left the website open to hackers and other online criminals," the letter said. "If the security flaws go unaddressed, the more people who use the site will simply mean more Americans vulnerable to identity theft."

The letter asks what explicit steps have been taken to improve the security of Healthcare.gov, who is overseeing the site’s security needs, and if ongoing tests by outside hackers are being conducted. The committee asked for answers to be delivered by Dec. 18.

"Mr. President, your administration has an obligation to ensure that the personal, financial, and account information collected as part of the Affordable Care Act is secure," the committee said.