Senate Minority Leader Mitch McConnell on Monday made a new push to delay implementing part of Obamacare, this time citing potential security issues with the new health exchanges.
"While I have grave concerns about this law under any circumstance, Americans should not be forced into the exchanges, and certainly not without these assurances. If you rush to go forward without adequate safeguards in place, any theft of personal information from constituents will be the result of your rush to implement a law to meet the agency's political needs and not the operational needs of the people it is supposed to serve," McConnell wrote in a Monday letter to Centers for Medicare and Medicaid Services Administrator Marilyn Tavenner.
The letter from the Kentucky Republican comes in reaction to a Health and Human Services inspector general report from earlier in August citing issues with the deployment of security controls for the Data Services Hub, the system through which the new health exchanges established by the 2010 health care overhaul are supposed to access data.
"The functions of the Hub will include facilitating the access of data by exchanges; enabling verification of coverage eligibility; providing a central point for the [IRS] when it asks for coverage information; providing data for oversight of the exchanges; providing data for paying insurers; and providing data for use in Web portals for consumers," the IG report explains.
"CMS is addressing and testing security controls of the Hub during the development process. However, several critical tasks remain to be completed in a short period of time, such as the final independent testing of the Hub'’s security controls, remediating security vulnerabilities identified during testing, and obtaining the security authorization decision for the Hub before opening the exchanges," the report said. "CMS's current schedule is to complete all of its tasks by October 1, 2013, in time for the expected initial open enrollment period."
The full letter from McConnell appears below:
Dear Administrator Tavenner:
I write to express my deep concern about reports that the Centers for Medicare and Medicaid Services (CMS) has missed multiple deadlines for assuring the security of the Federal Services Data Hub. Americans should not be forced to enter into exchanges when CMS is so ill-prepared to guarantee the protection of personal data and taxpayer resources from hackers and cyber criminals who would use this sensitive data for personal gain.
As you know, I oppose Obamacare and support its full repeal. Yet in recent months, even some of the Administration’s closest allies have raised alarms about the potential implementation “train wreck” to come. While I believe we ought to repeal this law and replace it with commonsense reforms that lower cost, Americans ought to be assured, at an absolute minimum, that their personal and financial data will be safe from data thieves.
HHS’ recent track record does not inspire much confidence. Last week, the Office of the Inspector General reported that the CMS has missed multiple deadlines for testing, reporting, and remediating data security risks in the Federal Data Services Hub. In fact, HHS does not expect a final Security Control Assessment (SCA) report from an independent testing organization until 10 days before the Hub is scheduled to begin operations, hardly enough time to fix any problems that may be identified. Furthermore, the current schedule calls for CMS’s Chief Information Officer (CIO) to certify the Security Authorization Decision on September 30, 2013, the day before exchanges open.
Adding to these concerns are reports that CMS has signed a $1.2 billion contract with a company to receive, sort, and evaluate applications for financial assistance in the exchanges that include personal, sensitive data. According to published reports, this particular company “has little experience with the Department of Health Human Services or the insurance marketplaces, known as exchanges, where individuals and small businesses are supposed to be able to shop for insurance.” And just last year, it was disclosed that more than 120,000 enrollees in the federal Thrift Savings Plan had their personal information, including Social Security numbers, stolen from your contractor’s computers in 2011.
Given the compressed timeframe between the conclusion of system testing and the scheduled opening of the exchanges, I am asking you to delay opening the exchanges until the Inspector General can guarantee the security of the exchanges.
I request that you assure the public that your Chief Information Officer will not be pressured to certify the system’s readiness by signing the Security Decision Authorization until it is secure.
Considering their recent history, can you guarantee that your contractor will protect taxpayer information in the exchange more carefully than it protected the data of federal employees in the Thrift Savings Plan?
While I have grave concerns about this law under any circumstance, Americans should not be forced into the exchanges, and certainly not without these assurances. If you rush to go forward without adequate safeguards in place, any theft of personal information from constituents will be the result of your rush to implement a law to meet the agency’s political needs and not the operational needs of the people it is supposed to serve.
Thank you in advance for your attention in this matter. I look forward to your reply.