Sen. Mitch McConnell (R-Ky.), in a letter to the Centers for Medicare and Medicaid Services (CMS) Monday, expressed concern that CMS is being pressured into certifying that the Obamacare's health care exchanges are ready to launch even though it cannot guarantee the security of personal and financial data.
In a letter to CMS Administrator Marilyn Tavenner, McConnell contends that the exchanges should not open before the independent Inspector General verifies that personal and financial data is protected from hackers and cyber criminals and also asked for assurances that the CMS Chief Information Officer will not be pressured to certify the system's readiness until all data is secure:
"I request that you assure the public that your Chief Information Officer will not be pressured to certify the system's readiness by signing the Security Decision Authorization until it is secure."
"If you rush to go forward without adequate safeguards in place, any theft of personal information from constituents will be the result of your rush to implement a law to meet the agency's political needs and not the operational needs of the people it is supposed to serve."
McConnell was responding to a Health and Human Services (HHS) Inspector General's report last week that said CMS has missed multiple deadlines for testing and reporting data security risks in connection with signing up for insurance on the government's health care exchanges. The Inspector General said that HHS doesn't expect a final security assessment report from an independent testing organization until 10 days before the Federal Data Services Hub is scheduled to open, which is hardly enough time to fix any security problems that may be identified.The full text of the letter is below:
August 12, 2013
Ms. Marilyn Tavenner
Centers for Medicare and Medicaid Services
7500 Security Boulevard
Baltimore, Maryland 21244-1849
Dear Administrator Tavenner:
I write to express my deep concern about reports that the Centers for Medicare and Medicaid Services (CMS) has missed multiple deadlines for assuring the security of the Federal Services Data Hub. Americans should not be forced to enter into exchanges when CMS is so ill-prepared to guarantee the protection of personal data and taxpayer resources from hackers and cyber criminals who would use this sensitive data for personal gain.
As you know, I oppose Obamacare and support its full repeal. Yet in recent months, even some of the Administration's closest allies have raised alarms about the potential implementation "train wreck" to come. While I believe we ought to repeal this law and replace it with commonsense reforms that lower cost, Americans ought to be assured, at an absolute minimum, that their personal and financial data will be safe from data thieves.
HHS' recent track record does not inspire much confidence. Last week, the Office of the Inspector General reported that the CMS has missed multiple deadlines for testing, reporting, and remediating data security risks in the Federal Data Services Hub. In fact, HHS does not expect a final Security Control Assessment (SCA) report from an independent testing organization until 10 days before the Hub is scheduled to begin operations, hardly enough time to fix any problems that may be identified. Furthermore, the current schedule calls for CMS's Chief Information Officer (CIO) to certify the Security Authorization Decision on September 30, 2013, the day before exchanges open.
Adding to these concerns are reports that CMS has signed a $1.2 billion contract with a company to receive, sort, and evaluate applications for financial assistance in the exchanges that include personal, sensitive data. According to published reports, this particular company "has little experience with the Department of Health Human Services or the insurance marketplaces, known as exchanges, where individuals and small businesses are supposed to be able to shop for insurance." And just last year, it was disclosed that more than 120,000 enrollees in the federal Thrift Savings Plan had their personal information, including Social Security numbers, stolen from your contractor's computers in 2011.
- Given the compressed timeframe between the conclusion of system testing and the scheduled opening of the exchanges, I am asking you to delay opening the exchanges until the Inspector General can guarantee the security of the exchanges.
- I request that you assure the public that your Chief Information Officer will not be pressured to certify the system's readiness by signing the Security Decision Authorization until it is secure.
- Considering their recent history, can you guarantee that your contractor will protect taxpayer information in the exchange more carefully than it protected the data of federal employees in the Thrift Savings Plan?
While I have grave concerns about this law under any circumstance, Americans should not be forced into the exchanges, and certainly not without these assurances. If you rush to go forward without adequate safeguards in place, any theft of personal information from constituents will be the result of your rush to implement a law to meet the agency's political needs and not the operational needs of the people it is supposed to serve.
Thank you in advance for your attention in this matter. I look forward to your reply.