Rep. Darrell Issa slammed Obamacare administrator Marilyn Tavenner Thursday for failing to disclose that HealthCare.gov actually has revealed some customers’ personal information.
During heated questioning from Oversight Committee chairman Rep. Issa, the committee determined that while Tavenner had just testified that HealthCare.gov didn’t release Obamacare enrollees’ personal data (PII), the GAO confirmed that yes, it actually has leaked some information.
“For the 13 [breaches into HealthCare.gov], there was PII that was disclosed to a consumer through a technical glitch,” said Gregory Wilshusen, GAO director of information security issues.
Tavenner had said moments before in her testimony to the committee that “there is no evidence that a person or group has maliciously accessed personally-identifiable information.”
She protested that she had been discussing only “malicious” attacks on the website in her statement. Several minutes later, however, she once again misspoke and claimed that “we have had no breach of personal information.”
Several committee members questioned whether CMS has done the testing to know whether that’s accurate. Democrats had also belatedly asked U.S. Computer Emergency Readiness Team’s director Ann Barron-Dicamillo to appear at the hearing just this Monday. But upon questioning from Issa, Barron-Dicamillo admitted that CERT has done no testing of HealthCare.gov and only recently analyzed the images of the latest breach of HealthCare.gov which were provided to them by CMS.
The GAO’s Wilshusen also charged that CMS was frustratingly difficult to work with when investigating the website. The agency found 13 incidents related to HealthCare.gov’s data security but CMS stonewalled investigators’ attempts to look into the problems.
“CMS tried to restrict access to documents,” Wilshusen told the committee, and indicated that they were concerned about sensitive security information. “We elevated the issue within GAO…and they did provide the information for us to look at.”
“So there was no reason they should’ve denied it to begin with?” Issa pressed. Wilshusen agreed there wasn’t.
Several Democrats on the committee, Rep. Jackie Speier and ranking member Rep. Elijah Cummings, preferred to focus on hitting Republican leadership for not spending more time digging into private companies’ data breaches, such as Target’s data breach last year.
Issa noted that the Oversight Committee does not have jurisdiction over these private companies, while the House Financial Services Committee does and has held hearings on the entirely unrelated issues.