The internal HHS memo warned that the system had not been sufficiently tested, “exposing a level of uncertainty that can be deemed high risk,” although the authors of the memo did not appear to have a specific vulnerability in mind.
Sebelius, testifying Wednesday morning before the House Energy and Commerce Committee, offered assurances that consumers’ personal data were safe.
She acknowledged that “access to HealthCare.gov has been a miserably frustrating experience for way too many Americans,” and she pledged that the problems would be fixed by the end of November. She offered an apology for the site’s troubled launch, while also attributing the breakdowns to private-sector contractors.
“I am as frustrated and angry as anyone with the flawed launch of HealthCare.gov,” Sebelius told the committee in an opening statement. Addressing Americans who want to buy health insurance but have been stymied by the Web site, she said: “You deserve better. I apologize. I’m accountable to you for fixing these problems, and I’m committed to earning your confidence back by fixing the site.” She said the problems are “fixable.”
The hearing marked Sebelius’s first public appearance before lawmakers to publicly explain the problems with the launch of HealthCare.gov.
According to the Sept. 27 memo to Medicare chief Marilyn Tavenner, a Web site contractor was not able to test all the security controls before the launch. The memo recommended setting up a security team to address risks and conduct daily tests, with a full security test to follow within two to three months.
Questioning Sebelius about the security issue, Rep. Anna G. Eshoo (D-Calif.) cited “a security break that arose recently” and asked Sebelius if she were confident that the new system would “secure the financial information that applicants have to disclose.”
Sebelius said she does have that confidence, adding that “there was not a breach” but a “theoretical problem” raised by a “skilled hacker.” She said the problem “was immediately fixed.”
Committee Republicans were not convinced.
“You accepted a risk on behalf of every person . . . that put their personal and financial information at risk because you did not even have the most basic ‘end-to-end’ test on security of this system,” Rep. Mike Rogers (R-Mich.) told Sebelius. “Amazon would never do this. ProFlowers would never do this. Kayak would never do this.”