November 13, 2013

There may never be a more classic line in the pantheon of empty boasts by competitive news organizations. On Monday night, CBS News reporter Sharyl Attkisson came up with what looked like a significant story: “Memo warned of “limitless” security risks for HealthCare.gov.” As the story and on-air broadcast alleged, the person entrusted with putting together HealthCare.gov was “apparently kept in the dark about serious failures in the website’s security. Those failures could lead to identity theft among [those] buying insurance.”

How did Attkisson know this? “CBS News has obtained the first look at a partial transcript of his testimony.”

Which is like saying you’ve got the exclusive on half the story.

To consume Attkisson’s story is to freak out about HealthCare.gov. The scoop here is that Henry Chao, Healthcare.gov’s chief project manager at the Centers for Medicare and Medicaid Services (CMS), somehow didn’t know about a Sept. 3 memo warning of issues on that troubled government Web site. The transcript to which Attkisson gained access spells out some serious alleged difficulties with the site. From the televised report: “In excerpts we’ve obtained, Chao was asked about a memo that outlined important security risks discovered in the insurance system. Chao said he was unaware of this Sept. 3 government memo written by another senior official at CMS. It found two high-risk issues which are redacted for security reasons. The memo said, ‘The threat and risk potential to the system is limitless.’ The memo shows CMS gave deadlines of mid-2014 and early 2015 to address them.”

Via Attkisson’s treatment, Chao comes off looking clueless about a critical aspect of HealthCare.gov. In her narrative, a Republican lawyer questioning Chao asked him if he found it “surprising” that he’d never seen that memo before. Chao replied, “‘Yeah . . . I mean, wouldn’t you be surprised if you were me?’ He later added: ‘It is disturbing. I mean, I don’t deny that this is . . . a fairly nonstandard way’ to proceed.”

In a hearing of the House oversight and government reform committee today, Attkisson’s story received something of a public fact-check. Rep. Gerald Connolly, apparently rankled by the CBS News piece, launched a series of pointed questions at Chao. The short take from the exchange is this: The CBS News report looks completely misleading. Here’s a selective summary of what Connolly discussed with Chao:

Connolly: Correct that Republicans presented you with a document you hadn’t seen before? Chao: Correct.

Connolly: Correct that the document indicated that there were two “open high-risk” findings in Obamacare exchange? Chao: Correct.

Connolly: Correct that someone leaked parts of your transcript to CBS News? Chao: “It seems that way.”

Connolly: Correct that the document discusses risks relating to two Web site modules on dental plans and qualified health plans? Chao: Correct.

Connolly: Correct that neither of those modules is active at this point? Chao: Correct.

Connolly: Correct that the Sept. 3 memo did not apply to the Obamacare marketplace? Chao: Correct.

Connolly: Correct that modules do not contain any personally identifiable information on consumers? Chao: Correct.

“So when CBS Evening News ran its report based on a leak, presumably from the [Republican] staff, but we don’t know — of a partial transcript — excerpts from a partial transcript — they said the security issues raised in the document, and I quote, ‘could lead to identity theft among buying insurance,’ that cannot be true based on what we established in our back and forth. Is that correct?”

Chao replied: “That’s correct. I think there was some rearrangement of the words I used during the testimony and how it was portrayed.”

The Erik Wemple Blog raised similar questions to CBS News yesterday. It declined to comment.

Attkisson’s story did contain this nod to the administration’s position: “Health and Human Services told CBS News the privacy and security of consumers’ personal information are a top priority, and consumers can trust their information is protected by stringent security standards.”

Erik Wemple writes the Erik Wemple blog, where he reports and opines on media organizations of all sorts.