HealthCare.gov’s massive meltdown was sparked by the White House meddling in the Obamacare website’s management and prioritizing politics over results — leaving ongoing security concerns — according to a Thursday report from Republican Senate staff.
The report, sponsored by Republican Senators Chuck Grassley and Orrin Hatch, charged the Obama administration with impeding the work Health and Human Services officials were supposed to do by forcing politics into the situation. Officials ignored red flags about missed deadlines, poor coding and security concerns, but continued to present a rosy picture to the public while workers knew the website’s construction was a mess.
“Officials ignored countless red flags to launch a website with thousands of defects,” the report charges. “These [administration] officials were aware for months of gaping holes in testing, critical security concerns, and failures under the most modest simulations.”
The Obama administration was guilty of some of the basic oversights that created similar messes out of state run exchanges, particularly Oregon’s. The Centers for Medicare and Medicaid Services, the HHS subagency in charge of Obamacare implementation, failed to coordinate HealthCare.gov’s management and oversight at all.
There was no individual or entity within the department to oversee multiple contractors’ work, and there was no private contractor working outside that oversaw all the other companies working on pieces of the federal exchange. The administration has now appointed deputy chief of staff Kristie Canegallo to work across agencies to coordinate Obamacare implementation in the future, but Canegallo will also split her time on other issues, including Afghanistan.
But even when top officials were repeatedly informed of the website’s failings, consumer protection was a lower priority than getting some version ready by the Obama administration’s October 1 deadline. Teresa Fryer, CMS’s top IT security official, refused to sign a document certifying the website’s security from hackers — vital to protecting personal identifying information.
Fryer made it clear to several top HHS officials that HealthCare.gov’s security wasn’t up to snuff — 40 percent of security controls hadn’t been tested and no one knew whether the website would be able to protect millions of Americans’ personal data. As late as December 2013, Fryer testified that security concerns were still unresolved, the report documents.
But CMS chief Marilyn Tavenner signed the form approving HealthCare.gov’s security against Fryer’s recommendation, a highly unusual move, according to the report. The website moved ahead even though, according to IT contractor TurningPoint, CMS didn’t even have any standards for what would have been an acceptable risk level.
When it came to security, “the bar was not just low, it was nonexistent,” according to the committee.
“The Administration looked the other way on problems, even when the independent contractor hired to monitor the project was waving red flags, pointing to likely failure,” Sen. Grassley pointed out. “This involved taxpayer money and website users who wasted their time on something that wasn’t working. When political will overpowers practical considerations, you get a mess like this website rollout.”
While most of the consumer-facing portions of HealthCare.gov have been fixed, a significant amount of work remains. The Obama administration hasn’t yet finished building the back-end of the website, which connects the federal government with insurance companies. The administration is in the midst of a makeover to get the website up to date before the next open enrollment period.