“Someone knew this system wasn’t ready. And yet for political reasons, as the chairman said, they went ahead and launched it and put millions of Americans’ personal information at risk.”
– Rep. Jim Jordan (R-Ohio), interviewed by Fox News’s Sean Hannity, Nov. 13, 2013
“What we know is that the people who knew or should have known, in fact, just simply ignored it.”
– Rep. Darrell Issa (R-Calif.), chairman of the House Government Reform and Oversight Committee, same interview.
These comments were made by Reps. Jordan and Issa shortly after Issa chaired a hearing that focused in part on a memo that had not been seen by Henry Chao, the chief digital architect for the Affordable Care Act health-care exchanges. The memo had been the focus of a news release sent out on Monday evening by committee Republicans, two days before the hearing, generating news reports by CBS News and The New York Times. These remarks were prompted by Sean Hannity’s questions about the memo, apparently based on that earlier reporting.
But here’s the odd thing: Chao’s testimony at the hearing contradicted the news release. Let’s see what happened.
The committee’s news release asserted that a Sept. 3, 2013, memo outlined “serious security vulnerabilities” in the exchange and quoted Chao, who had not seen it before being shown it by committee staff, as saying it “presented a significant risk to the system.” But it turned out that, upon close examination of the memo, it had nothing to do with the parts of the Web site that launched on Oct. 1. Instead, the memo dealt with modules of the Web site that would not be operational until spring of 2014 — and even when these modules go online, they will not submit or share personally identifiable information.
We have embedded below the video of the section of hearing in which Rep. Gerald Connolly (D-Va.) obtains this information from Chao.
The key quote from the exchange–first highlighted by our colleague Erik Wemple–is this:
CONNOLLY: So to just summarize, correct me if I’m wrong, the document leaked to CBS Evening News did, in fact, not relate to parts of the Web site that were active on October 1. They did not relate to any part of the system that handles personal consumer information. And there, in fact, was no possibility of identify theft, despite the leak.
As far as we can tell, neither CBS News nor the Times has updated its original story to reflect this testimony. And it also does not appear that either Issa or Jordan was listening very closely.
Here’s the key exchange on “The Sean Hannity Show,” just hours after the hearing ended:
HANNITY: Yes. All right, let’s go to some of the risk issues because the fact that they launched this with navigators that had no criminal background check — we learned from Mr. Chao yesterday that there was a memo issued, and they found prior to the launch of this two high-risk issues, and the memo said, quote, “The risk — the threat and risk potential to the system is limitless.” Limitless? And he never saw this memo? How — he’s the chief project manager for the Center for Medicare and Medicaid Services? Congressman Jordan, how is that possible?
JORDAN: Well, I think what’s even more scary is, Sean, someone did see it. Someone knew this system wasn’t ready. And yet for political reasons, as the chairman said, they went ahead and launched it and put millions of Americans’ personal information at risk. And do you know why they wouldn’t delay it? For political reasons. They couldn’t admit that Republicans were right, that this thing needed to be delayed. This law wasn’t ready. It should be delayed. Frankly, it should be repealed. They didn’t — they were willing to put Americans’ personal information at risk because they couldn’t admit — this administration couldn’t admit that Republicans were right, and frankly, most of America is right when they don’t like this law and they want it changed.
HANNITY: You know, Congressman Issa, I actually looked — they actually in the memo said the risk to the system is limitless. That was in the memo that Mr. Chao, who should have seen this, didn’t see. Federal guidelines actually define what high risk means, and they say the vulnerability could be expected to have severe or catastrophic adverse effects of organizational operations, assets or individuals. Who then bypassed the people that were supposed to know these things? Do you know the answer yet?
ISSA: Well, what we know is that the people who knew or should have known, in fact, just simply ignored it.
It’s fairly clear that the two lawmakers are responding to Hannity’s questions about the memo, as he mentions it four times. And when Jordan and Issa use the word “it,” that can only be referring to the memo.
Frederick R. Hill , the committee’s deputy staff director for communications and strategy, conceded that lawmakers’ comments did not reflect the information obtained at the hearing. “It is fair to point out that Congressman Connolly was effective in getting Mr. Chao to state his position that the Sept. 3 memo was not about something that launched on Oct. 1,” he said. In their remarks, he said Issa and Jordan “transitioned to a broader thing about the readiness of the site for security purposes.”
Translation: The two men had their talking points, and were using Hannity’s questions about the memo to make them. Evidently, they did not believe it was necessary to correct Hannity’s wrong information about the memo — which apparently reflected news reports ginned up by the committee.
Hill pointed out that Chao, in a July e-mail, had noted that he had testified under oath to Congress that the now-troubled Web site would be launched on Oct. 1. He also noted that Democrats on the committee, in a memo, have said “the deployment of the Healthcare.gov website was not adequately tested or implemented.” (Note: that specific section has to do with performance testing, not security of personal information.)
“I think this is a firm factual foundation for the members to express the view that Americans face risks due to incomplete testing omitted in a rush to meet a politically committed deadline of October 1,” he said. He also noted that Chao has not stepped away from his claim in the interview that he should have been informed about the memo. (He was not specifically asked this question at the hearing.)
The Pinocchio Test
The Fact Checker appreciates Hill’s acknowledgement that Issa and Jordan did not try to explain to Hannity that new information had cast the memo in a different light. And certainly politicians may be wary of correcting the misimpressions of a friendly interviewer.
But there still appears to be little factual basis to make the hair-raising claim that, by launching the Web site on Oct. 1, the administration was putting “millions of Americans’ personal information at risk,” as Jordan put it, or that “people who knew or should have known, in fact, just simply ignored it,” as Issa asserted.
Chao was at the center of the committee’s original news release. And he testified that the memo in question did not relate to a part of the Web site that went active on Oct. 1 and did not relate to a part of the system that handles personal information. Issa and Jordan certainly have the right to express opinions, but they can’t tie their opinions to information that has already been disproved.
(Note: We were focused on the information contained in the Sept. 3 memo. Since this column appeared, Hill has argued that the lawmakers had a broader base of information for making these assertions. In particular, he noted testimony in Congress on Nov. 19 by some cyber security experts that apparent security flaws in the Web site are so extensive that it should be shut down until it is fixed. However, independent testers also testified they are confident the system is secure. We will continue to monitor this issue and may adjust this rating depending on the evidence that emerges.)
NEW: Send us facts to check by filling out this form