Skip to main content

AP: administration was told had 'high' security risk four days before launch

AP: administration was told had 'high' security risk four days before launch

Share this story

If you buy something from a Verge link, Vox Media may earn a commission. See our ethics statement.

The Associated Press (AP) is reporting that the agency that oversaw the launch of the online health insurance marketplace received a memo warning of security risks shortly before the site was deployed.

The source of the memo, which was sent to the head of the Centers for Medicare and Medicaid Services (CMS), was not revealed.

The memo said that one of the contractors working on the project was unable to perform a complete security test of the site in time, which "exposed a level of uncertainty that can be deemed as a high risk." The memo recommended that a security team be established to "address risks, conduct daily tests, and [perform] a full security test within two to three months of going live," according to the AP.

The warning, addressed to CMS chief Marilyn Tavenner, was dated four days before went live on October 1st.

The warning was dated four days before went live

Since launch, independent security researchers identified issues with the site that made it vulnerable to hackers. The worst was a problem with the password reset function that made it possible to reset someone else's password using their username and a bit of research.

Further revelations show that some personal information sent through the site — which includes names, social security numbers, addresses, and dates of birth — may still be vulnerable to hackers and data leaks.

The Health and Human Services (HHS) Inspector General articulated concerns with the site's security during a review in August, noting that the deadline for the security authorization was pushed from September 4th to September 30th, the day before launch.

"CMS is working with very tight deadlines..."

"CMS is working with very tight deadlines to ensure that security measures for the Hub are assessed, tested, and implemented by the expected initial open enrollment date of October 1st, 2013," the report says. "If there are additional delays in completing the security assessment and testing, the CMS CIO may have limited information on the security risks and controls when granting the security authorization of the Hub."

Representative Darrell Issa (R-CA) has subpoenaed one of the contractors, citing security concerns. He's also called for HHS secretary Kathleen Sebelius to take responsibility for the problems with the site.

Sebelius is being interrogated by members of Congress today. In answer to an unrelated question about bugs in the application, the secretary said that CMS was "trying to make sure we had the highest security standards, that we were not cavalier about someone's personal information being able to be addressed and attached."

Update: CNN has obtained a copy of the memo.