Johnson Holds Agency Accountable for Obamacare-related Data Breach

WASHINGTON — U.S. Sen. Ron Johnson (R-Wis.), chairman of the Senate Committee on Homeland Security and Governmental Affairs, on Saturday requested information about a security breach in a system associated with Healthcare.gov, the website created for Obamacare enrollment.

The Centers for Medicare & Medicaid Services (CMS), which oversees Healthcare.gov, notified the committee late Friday of the breach affecting about 75,000 individuals through the Direct Enrollment pathway for agents and brokers of the federally facilitated exchange. This breach follows CMS’ history of reported security weaknesses with the Healthcare.gov web portal. Previous congressional oversight showed how CMS launched Healthcare.gov in 2013 despite vulnerabilities that put the personal information of Obamacare enrollees at risk.

Johnson wrote Saturday to Alex Azar, secretary of health and human services, instructing him to provide the committee with information about the scope of the breach and any steps CMS is taking to remedy the problem.

After sending the letter, Johnson said this:

“The damage inflicted on Americans’ health care by Obamacare has been significant.  People lost coverage they liked and doctors they trusted, premiums skyrocketed, and the rollout of Healthcare.gov was botched. Four years later, Obamacare’s website is still not secure.  Cyberattacks threaten all sectors of our economy, and this latest breach demonstrates the federal government remains one of the most vulnerable.  CMS owes the public answers and better protection of their personal information.”

Johnson’s letter instructs Azar to return his answers by the end of the business day on Oct. 30.

Full text of the letter can be found below.

---

The Honorable Alex Azar II

Secretary

U.S. Department of Health & Human Services

200 Independence Avenue, S.W.

Washington, D.C. 20201

 

Dear Secretary Azar:

            On Friday, October 19, 2018, the Centers for Medicare & Medicaid Services (CMS) notified the Committee of a breach of a system associated with healthcare.gov, the website created for Obamacare enrollment. According to CMS, the breach affected approximately 75,000 individuals through the Direct Enrollment pathway for agents and brokers of the Federally-facilitated Exchange. This breach follows CMS’s history of reported security weaknesses with the healthcare.gov web portal and supporting systems. Previous congressional oversight showed how CMS launched healthcare.gov in 2013 despite vulnerabilities that put the personal information of Obamacare enrollees at risk.

            The Committee has jurisdiction over federal information systems and the Federal Information Security Management Act of 2002 (FISMA). To assist the Committee in its oversight of the breach affecting healthcare.gov, I respectfully request the following information:

1. Please provide the date and time by which the first indicator of compromise (IOC) was identified and who identified this initial IOC (i.e., CMS personnel or contractors, or law enforcement entities).

2. Please provide the date on which CMS notified the Office of Inspector General and law enforcement.

3. Please describe the type of personally identifiable information (PII) affected, and how CMS determined that the 75,000 was the universe of individuals affected. Does CMS believe this to be the full exposure, or is 75,000 CMS's initial estimate?

4. Please provide a copy of CMS's notification to U.S. Computer Emergency Readiness Team concerning the initial IOC.

5. Please provide the date on which the bad actor(s) were expunged from the system; log information sufficient to indicate how long these bad actor(s) had access to CMS or HHS system(s) and also individuals’ PII; and CMS's current assessment as to whether all bad actor(s) have been expunged from CMS and HHS systems. 

6. Has CMS notified the 75,000 people who have had their sensitive information compromised? Does CMS intend to offer any credit monitoring or protection to these individuals?

7. Please produce all documents or communications referring or relating to the breach of healthcare.gov’s Direct Enrollment pathway.

In addition to responses to the above, I respectfully request a briefing for Committee staff. Please provide a response as soon as possible but no later than 5:00 p.m. on October 30, 2018.

The Committee on Homeland Security and Governmental Affairs is authorized by Rule XXV of the Standing Rules of the Senate to investigate “the efficiency, economy, and effectiveness of all agencies and departments of the Government.”  Additionally, S. Res. 62 (115th Congress) authorizes the Committee to examine “the efficiency and economy of operations of all branches and functions of Government with particular references to (i) the effectiveness of present national security methods, staffing, and processes….”

If you have any questions about this request, please ask your staff to contact Elliott Walden of the Committee staff at (202) 224-4751. Thank you for your attention to this matter.

###