U.S. lawmakers questioned the security of HealthCare.gov, the U.S. government's troubled insurance-shopping website, after reports that one applicant's personal information was shared with another applicant.
Reports that the website shared South Carolina resident Tom Dougall's personal information with another insurance applicant raises serious concerns about security at the site, Republican members of the U.S. Senate Health, Education Labor and Pensions Committee said during a hearing Tuesday.
The security concerns come on top of the website's existing problems, including site outages, sluggish page load times and users' inability to complete coverage applications, since the U.S. Department of Health and Human Services launched the website Oct. 1. The website is a key piece of insurance reform law the Affordable Care Act, or Obamacare, passed by Congress in 2010.
"We are now more than 30 days into one of the greatest website disasters in history," Senator Tim Scott, a South Carolina Republican, said during the hearing. "After nearly US $400 million, HealthCare.gov is synonymous now with failure. The public's trust has been broken."
In the South Carolina case, another applicant received download links to Dougall's insurance application, Scott said. Dougall and Scott have asked HHS to remove all his personal information from HealthCare.gov, but agency officials have not been able to tell him if that will happen, said Scott, one of Dougall's senators.
"There's no delete option for consumers," Scott said.
The team working on HealthCare.gov for the HHS Centers for Medicare and Medicaid Services [CMS] has fixed the problem that caused the data to be shared, said Marilyn Tavenner, administrator at CMS. The agency has been trying to contact Dougall to address his concerns, she said.
CMS received only one report of a user's application being shared with another person, Julie Bataille, director of the CMS Office of Communications, said at a press briefing later. The HealthCare.gov team took "immediate" steps to fix the software responsible for the problem, she said.
At the hearing, Tavenner defended the site's security, saying contractor Mitre has continually tested the site and is monitoring for intrusions. The site is using similar security measures as are used in the CMS Medicare program, she said.
Capacity has been added to improve site performance and HealthCare.gov should be working well by the end of the month, as HHS has projected, she said.
But committee Republicans -- who have opposed Obamacare -- raised doubts about security. The HHS inspector general's office warned HHS and its Centers for Medicare and Medicaid Services [CMS] about possible security problems in an August report, Scott said.
That report warns CMS of a tight time frame for completing security testing, with the report noting that the targeted data of security authorization for the website slipped from early September to Sept. 30, a day before launch. "If there are additional delays in completing the security authorization package, the CMS CIO may not have a full assessment of system risks and security controls needed for the security authorization decision by the initial opening enrollment period," the report said.
Senator Michael Enzi, a Wyoming Republican, repeated concerns raised in earlier hearings that end-to-end security testing on the site was not completed before it went live.
Security testing for the website's hub, which verifies applicants' eligibility for insurance coverage, was completed, Tavenner said, while individual components of the site's exchange functionality, where users can apply for insurance and compare plans, were also tested. The testing complied with U.S. government rules, she said.
The exchange "was not signed off as a complete package, because we were still upgrading modules," she said. "The testing will continue this month and next month as we do these software upgrades."
Committee Chairman Tom Harkin, an Iowa Democrat, urged CMS to focus on security. "This is a paramount concern," he said. "Consumers have to be absolutely certain that when they go on and they fill out that application, they give all that information, that is secure."
Other committee Democrats said they were disappointed in HealthCare.gov's rollout. The botched launch of the site has led to a "crisis of confidence" in the system, said Barbara Mikulski, a Maryland Democrat.
CMS plans to reach out to website users and to people who have avoided the site because of the problems after the agency is confident HealthCare.gov is working correctly, Tavenner said. The agency is planning a media campaign after the problems are resolved, she said.
Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's email address is email@example.com.