CMS officials contemplated whether their agency would have to accept risk on behalf of other federal government entities, including Social Security and the IRS.
—A federal contractor explicitly detailed the potential consequences of what he called an "elevated high risk."
Allowing states to connect without the appropriate review "introduces an unknown amount of risk" that could put the personal information of "potentially millions of users at risk of identity theft," not to mention exposing the program to fraud, contractor Ryan Brewer wrote to CMS security in a Sept. 18 email.
Brewer had formerly been in government, as top CMS information security officer. He is currently with the cybersecurity firm GrayScout. The administration says he had no direct knowledge of the status of state security information.
In a Feb. 20 letter to the oversight panel's chairman, Rep. Darrell Issa, R-Calif., the administration said many of the high-risk issues identified in the documents had a corrective action plan before states got approval to connect. Twelve states received temporary, 60-day permissions to connect before Oct. 1 because the administration had not completed full reviews.
Currently, 46 states and Washington, D.C., have full three-year permissions to connect, wrote HHS assistant secretary Jim Esquea.
"The administration has not been forthcoming with the American people about the serious security risks," Issa said in a statement. "Despite repeated assurances from HHS, the department appears to still be struggling with security concerns."
Cybersecurity consultant and author Theresa Payton, who reviewed the materials for the AP, said it's difficult to second-guess the administration's decisions. A phased rollout of the health care markets would have been a prudent way to keep risks manageable. But Payton, who was chief White House information officer for President George W. Bush, said federal agencies can face unique deadline pressures.
The administration should have found a way to let consumers know that the new online markets weren't quite ready for prime time, she said. "A customer education campaign on how to avoid fraud would have gone a long way."
Even top-performing states are not immune to problems. In a Jan. 10 email exchange, officials and contractors wondered whether they might have to disconnect California from federal computers after a website publicly disclosed that state's vulnerabilities.
"There are many security issues with the states' systems," a contractor wrote to CMS supervisors. "I would expect many more of the 'known' flaws to be posted in the near future."
The administration says officials quickly contacted California, and after learning that the state was addressing the issues, and dropped any consideration of disconnecting.