Mass Connector Called Before Congress To Explain Failed Rollout

Share on Facebook
Share on Twitter
Share on

Chris Cassidy at the Boston Herald is reporting that Jean Yang, the executive director of the Massachusetts Health Connector, will be called before two Congressional committees to explain the failings of the exchange under the ACA on Thursday April 3rd at 10am.

It should be noted that Yang will be the only executive director who has not been fired or resigned due to the poor performance of their state based exchange of the states invited that are likely to testify. These states include Hawaii, Maryland, Minnesota, Nevada, and Oregon. As I have written about before, Massachusetts has the distinction of currently being the worst performing exchange in the country. Meanwhile, Governor Patrick has expressed his support for the current leadership at the Connector.

Yang with Connector material

In a letter to the Governor, the Chairman of the Oversight Committee Darrell Issa, the Chairman of the Subcommittee on Economic Growth, Job Creation, and Regulatory Affairs Jim Jordan, and the Chairman of the Subcommittee on Energy Policy, Health Care and Entitlements James Lankford revealed some startling new claims of privacy risks on the exchange platform.

We are writing to you because the Committee has learned that the Obama Administration took actions in the summer and fall of 2013 that appear to have placed the private information of Massachusetts residents at risk with the launch of ObamaCare’s health insurance exchanges.

As Cassidy summarized:

Issa, who sent similar letters to nine other states, contends Bay State officials issued a security report in mid-September that admits the state failed to provide required security training to employees on handling personal information, such as federal tax info. It also didn’t require background or credit checks on employees before they accessed the IT system, wrote Issa.

In a press release the Committee provided more details from the letter:

State exchanges and Medicaid systems needed authority to connect (ATC) agreements from CMS in order to connect to the federal data services hub. According to security risk assessment reviews, the Chief Information Security Officer (CISO) at CMS deemed 35 state systems as a high risk and an additional ten state systems as a moderate risk of connecting to the data hub. (emphasis added) However, despite the negative assessments that generally revealed incomplete documentation and inadequate security testing, CMS allowed most of these states to connect to the federal data hub on October 1, 2013.

A few days prior to October 1, 2013, Ryan Brewer, CMS’s CISO from 2009 through 2011 and currently an advisor to CMS on information security matters, offered the following assessment to current CMS CISO Teresa Fryer: “Allowing these states to connect to the Hub and FFM [Federally Facilitated Marketplace] without the appropriate review of their documentation introduces an unknown amount of risk to the Hub and FFM.  This in turn puts the PII of potentially millions of users at risk of identity theft and fraud to the CMS marketplace healthcare subsidy program.”

It should be noted that these security issues are not the only ones that have been raised in the Commonwealth. In recent reports conducted by outside vendor BerryDunn, it was revealed that concerns persist about the lack of monitoring of activity on the website. The report details:

CGI [the primary contractor on the project] has reported that logging was “turned off,” due to a security issue….If security logging and monitoring activities are not performed according to requirement undetected compromise of HIX/IES data may occur….

The EOHHS [Executive Office of Health and Human Services] has reported that they have not been monitoring security logs, administration of user activities, or reports of activity within the MA HIX/IES. Although the Commonwealth has requested security reports from CGI, those have not been provided.

In layman’s terms this was explained to me by a technical person with deep knowledge of the project this way, “Someone could go in an delete all records, change information, steal information and no one would know.  Logging needs to be turned on immediately or the system should be taken offline.”

Here is to hoping we learn more details about what exactly happened in Massachusetts, as our state officials don’t seem keen on speaking on the topic locally, and our elected officials on Beacon Hill have not provided a regular outlet to facilitate those conversations.

Find me on twitter: @josharchambault