Play Live Radio
Next Up:
0:00
0:00
0:00 0:00
Available On Air Stations

Is FL a Risk to Healthcare.gov?

Leon County Judge John Cooper on June 30, 2022, in a screen grab from The Florida Channel.
The Associated Press
/
The Florida Channel
Leon County Judge John Cooper on June 30, 2022, in a screen grab from The Florida Channel.

Security experts working for the federal government last fall said two-thirds of state computer systems that were supposed to tap into federal computers to verify personal information for coverage were rated as "high risk" for security problems, the Associated Press reports.

According to a map from the House Committee on Oversight and Government Reform, Florida was one of the states the security experts identified as having a risky connection point.

As Health News Florida reported in August, Florida's governor and Cabinet officials -- all Republicans -- questioned the security of personal information being used for enrollment in a health plan. But their warnings were about "navigators" -- the trained and licensed guides who help people enroll in a plan through Healthcare.gov.

Supporters of the Affordable Care Act called the Florida officials' statements "political hype."

Here is the Associated Press report on the security concerns about state systems:

As the Obama administration raced to meet its self-imposed deadline for online health insurance markets, security experts working for the government worried that state computer systems could become a back door for hackers.

Documents provided to The Associated Press show that more than two-thirds of state systems that were supposed to tap into federal computers to verify sensitive personal information for coverage were initially rated as "high risk" for security problems.

Back-door attacks have been in the news, since the hackers who stole millions of customers' credit and debit card numbers from Target are thought to have gained access through a contractor's network.

The administration says the documents offer only a partial and "outdated" snapshot of an improving situation, and the security problems cited were either resolved or are being addressed through specific actions. No successful cyber-attacks have taken place, officials say.

However, the issues detailed in documents and emails provided by the House Oversight and Government Reform Committee reveal broader concerns than the federal Health and Human Services department has previously acknowledged.

They show a frenzied behind-the-scenes juggling act by officials and contractors as the Oct. 1 deadline for new health insurance exchanges loomed. Instead of providing a showcase for President Barack Obama, the launch of his health care law became a case study in how big technology projects can go off the rails.

In order to connect to federal computers, state and other outside systems must undergo a security review and receive an "authority to connect."

With the health care law, states needed approval to connect to a new federal data hub, an electronic back room that pings Social Security, the Internal Revenue Service, Homeland Security to verify personal details about people applying for government-subsidized insurance. The hub handles sensitive information, including income, immigration status and Social Security numbers.

The documents showed a high-stakes decision-making process playing out against a backdrop of tension and uncertainty as the clock ran out. For example:

In one email from Sept. 29, a Sunday two days before the launch, Teresa Fryer, chief information security officer for the federal Centers for Medicare and Medicaid Services, wrote of the state security approvals, "The front office is signing them whether or not they are a high risk." Her agency, known as CMS, also administers the health care law.

Two days earlier, in a separate document, CMS administrator Marilyn Tavenner approved nine states to connect although the approval document noted that "CMS views the October 1 connections to the nine states as a risk due to the fact that their documentation may not be submitted completely nor reviewed ... by Oct. 1." Approval was contingent on states submitting proper documentation. The states were Arkansas, Illinois, Iowa, Louisiana, Montana, Nebraska, Pennsylvania, Oklahoma, and South Dakota.

A federal contractor explicitly detailed the potential consequences of what he called an "elevated high risk."

Allowing states to connect without the appropriate review "introduces an unknown amount of risk" that could put the personal information of "potentially millions of users at risk of identity theft," not to mention exposing the program to fraud, contractor Ryan Brewer wrote to CMS security in a Sept. 18 email.