Department of Health & Human Services Secretary Kathleen Sebelius (Jim Bourg/Reuters) Department of Health & Human Services Secretary Kathleen Sebelius (Jim Bourg/Reuters)

On Monday, CBS News’s Sharyl Attkisson reported that security problems with the federal health-care Web site “could lead to identity theft among [those] buying insurance.” Also included in the report was an allegation that Henry Chao, chief project manager of, was kept in the dark about a Sept. 3 memo warning of “limitless” risk in the system.

Attkisson boasted that her reporting was based on a “first look at a partial transcript” of a closed-door Nov. 1 session in which staffers of the House government oversight committee, which is led by Rep. Darrell Issa (R-Calif.), questioned Chao. Here’s how CBS News described the proceedings:

Chao said he was unaware of a Sept. 3 government memo written by another senior official at CMS [Centers for Medicare and Medicaid Services]. It found two high-risk issues, which are redacted for security reasons. The memo said “the threat and risk potential (to the system) is limitless.”

On Wednesday, a hearing of that very committee ripped the stuffing out of Attkisson’s piece. Especially the contention about identity theft: Chao was present at the hearing and got into detail about the CBS News report in response to questions from Rep. Gerald Connolly. That “risk potential” cited in the Attkisson piece? Chao testified that it wasn’t operational because the Sept. 3 memo addresses “modules” that aren’t yet in place — specifically, the “Qualified Health Plan” (QHP) module and the dental module. And that identity-theft exposure? No such risk here because those two parts of the system aren’t consumer-facing. As Wednesday’s testimony revealed:

CONNOLLY: And these modules allow insurance companies to submit their dental and health care plan information to the marketplace — is that correct?

CHAO: Correct.

CONNOLLY: That means that those modules do not contain or transmit any personally identifiable information on individual consumers, is that correct?

CHAO: Correct.

CONNOLLY: So to be clear, these modules don’t transmit any specific user information, is that correct?

CHAO: Correct.

CONNOLLY: So when CBS Evening News ran its report based on a leak, presumably from the majority staff … they said the security issues raised in the document, and I quote, “could lead to identity theft among buying insurance,” that cannot be true based on what we just established in our back and forth, is that correct?

CHAO: That’s correct. I think there was some rearrangement of the words that I used during the testimony in how it was portrayed.

A step back for some fundamentals. The Web dimension of Obamacare has a lot of components. There are the eligibility and enrollment tools, which launched on Oct. 1 and are at the heart of what we now know as There’s the site’s educational component. There’s a data hub that distributes applicant information to other Web sites. And there are other modules. Before various components are launched, they require what’s called an “authority to operate” (ATO) memo, a document that identifies ongoing issues with the systems.

Two such ATO memos figure into the story about Chao and First is the Sept. 3 ATO memo. That one pertains to the QHP and dental modules; House oversight committee staffers put it before Chao at that closed-door session on Nov. 1. Chao displayed little familiarity with its details, perhaps because it addressed parts of the system that were months away from implementation. Democratic staff on the House oversight committee claim that Chao was “sandbagged” by hostile interrogators who were playing gotcha with the Sept. 3 memo.

A look at the memo shows how easy it is to botch its abridgment. Its subject line reads, “Authorization Decision for the Federal Facilitated Marketplaces (FFM) System.” What follows is an acronymical thicket — computer terminology mixed with bureaucratic terminology, an apparent conspiracy to make sure that some outsider — Attkisson! — may well misinterpret the memo’s gist. The Erik Wemple Blog has read the thing a number of times and has spoken with three government sources about its ins and outs. Still we’re short of mastery. The following line appears to be the indicator that this memo outlines risks not for the current site, but rather for those wonky future modules: “The current configuration includes only the Federal Facilitated Marketplaces Qualified Health Plans (QHP) and Dental modules.”

Now for the second ATO memo, dated Sept. 27. That one pertains to the eligibility and enrollment tools in, precisely the functions that have caused so much political misery for the administration and so much frustration for health-insurance seekers over the past six weeks. Who authored the Sept. 27 document? Chao himself signed it, along with another official. The memo addresses’s security pitfalls and lays out a two-pronged plan to address them. Given that Chao’s name sits atop the document, it appears that he was briefed on the current system’s integrity, as the transcript of his Nov. 1 grilling indicates.

That impression runs directly counter to the one left by the CBS News story, which paints Chao as being clueless regarding these pivotal topics. “It was Chao who recommended it was safe to launch the website Oct. 1. When shown the security risk memo, Chao said, ‘I just want to say that I haven’t seen this before,'” notes the story.

Perhaps Attkisson assumed that the average CBS News consumer already knew the difference between the Sept. 3 ATO and the Sept. 27 ATO.

CBS News has not issued any updates, corrections or clarifications to the story. Maybe it just doesn’t attach much credence to federal officials testifying on the record.

The apparent weaknesses in the Attkisson piece extend beyond the parts that sustained rebuttal at Wednesday’s hearings. In a critical passage of Attkisson’s story, she discusses the “high-risk issues” cited in the Sept. 3 memo. After noting that the threat from such issues is “limitless,” Attkisson drops in this line: “The memo shows CMS gave deadlines of mid-2014 and early 2015 to address them.”

Now: The CBS News report never specifies that the “high-risk issues” do not affect the currently operating and, in fact, relate to components of the system that’ll go online much later. Stripped of such detail, the story leaves a grave impression — namely, that these “high-risk issues” are plaguing the current and the government figures it’ll get around to fixing things in a year or more.

There’s plenty here for CBS News to revisit. If it takes issue with Chao’s congressional testimony on Wednesday, then it should come forth and say so. Thus far it hunkered down, as the original Attkisson story bears not even an update addressing the Connolly-Chao tag-team attack. CBS News earlier this week told the Erik Wemple Blog that its story had quoted Chao “accurately.” As the network demonstrated with its “60 Minutes” fiasco, however, it’ll issue corrections only under duress.

Contemporary American media being what it is, a damning story such as Attkisson’s can’t help but make the jump to other outlets. Just hours after Chao disputed the CBS News story, it showed up in an unqualified manner on Fox News’s “Hannity.” Transcript:

SEAN HANNITY: We learned from Mr. Chao yesterday that there was a memo issued, and they found prior to the launch of this two high-risk issues, and the memo said, quote, “The risk — the threat and risk potential to the system is limitless.”
Limitless? And he never saw this memo? How — he’s the chief project manager for the Center for Medicare and Medicaid Services? Congressman Jordan, how is that possible?

REP. JIM JORDAN (R), OHIO: Well, I think what’s even more scary is, Sean, someone did see it. Someone knew this system wasn’t ready. And yet for political reasons, as the chairman said, they went ahead and launched it and put millions of Americans’ personal information at risk!

Frederick Hill, a spokesman for Issa, says that if the Department of Health and Human Services (HHS) had any issues with Chao’s Nov. 1 testimony, it had nearly two weeks before Wednesday’s hearing in which to address them. And the memos in dispute — those came from contractors, not from the government, says Hill. “The first set of documents we got from HHS was yesterday.”

Erik Wemple writes the Erik Wemple blog, where he reports and opines on media organizations of all sorts.