GOP committee leaders in the Senate and House want answers concerning more than 300 documented security breaches on HealthCare.gov revealed in a report released by nonpartisan government watchdog group the Government Accountability Office (GAO).
On March 23, Republican committee leaders sent a firm letter addressed to Health and Human Services Secretary Sylvia Burwell and Centers for Medicare & Medicaid Services Acting Administrator Andy Slavitt requesting information disclosed in the unnerving report that HealthCare.gov had 316 security breaches between October 2013 and March 2015, 41 of which involved personally identifiable information.
The leaders also took issue with the fact that, according to the GAO report, the Department of Health and Human Services (HHS) does not have complete records indicating the number of people impacted by the breaches, despite GAO recommending HHS keep track of such documentation in 2013.
“We wrote to you on Sept. 17, 2014, and again on Jan. 30, 2015, with concerns about the security of HealthCare.gov,” the committee leaders wrote. “In those letters we asked for information about HealthCare.gov security breaches, including breached of personally identifiable information, and about unauthorized information sharing with third parties.”
The letter states the GOP committee leaders received a response from HHS assuring them they could put their concerns to bed because there had been no incidents of security breaches or unauthorized sharing of information.
But the GAO report states otherwise. The watchdog group discovered that some of the incidents were probes by hackers trying to find weaknesses. Investigators, however, don’t believe the hackers gained access to crucial personal information like birth dates or Social Security numbers.
Still, Senate and House members want details.
“We are extremely concerned that we were not informed of the ongoing security incidents,” they wrote. “In order to assist us in fulfilling our oversight responsibilities, please send us a list and description of every security incident involving HealthCare.gov since October 2013, including how many individuals’ records were compromised, whether the incident involved personally identifiable information, and whether the affected individuals were notified.”
HealthCare.gov had a turbulent launch in 2013 with many users complaining of long processing delays, getting kicked off the site repeatedly and the website crashing. After spending millions of dollars to fix the glitches, the Obama administration eventually ironed out the issues and improved user experience.
Before signing off, the Republican legislators asked HHS to send documentation on its Breach Response Team’s standard operating procedures, its annual reports since 2013 the CMS breach response plan, and reports detailing what action the department took after each security incident.
“If HHS did not inform affected individuals, we urge you to change that policy immediately,” they wrote.
The letter was sent by Senate Health, Education, Labor and Pensions Committee Chairman Lamar Alexander (R-Tenn.); Senate Finance Committee Chairman Orrin Hatch (R-Utah); House Energy and Commerce Committee Chairman Fred Upton (R-Mich.); House Ways and Means Committee Chairman Kevin Brady (R-Texas); House Oversight and Government Reform Committee Chairman Jason Chaffetz (R-Utah); Senate Judiciary Committee Chairman Chuck Grassley (R-Iowa); Senate Commerce Committee Chairman John Thune (R-S.D.); and Senate Committee on Homeland Security and Governmental Affairs, Permanent Subcommittee on Investigation Chairman Rob Portman (R-Ohio).
The GOP leaders requested a response by April 6.