The Blog

Data Security for Obamacare Exchanges 'Months Behind' Schedule

4:27 PM, Aug 6, 2013 • By MICHAEL WARREN
Widget tooltip
Single Page Print Larger Text Smaller Text Alerts

Reuters reports that the federal government is "months behind" its efforts to set up data security measures for the state health insurance exchanges, set to open on October 1, as created by Obamacare:

The federal government is months behind in testing data security for the main pillar of Obamacare: allowing Americans to buy health insurance on state exchanges due to open by October 1

The missed deadlines have pushed the government's decision on whether information technology security is up to snuff to exactly one day before that crucial date, the Department of Health and Human Services' inspector general said in a report.

As a result, experts say, the exchanges might open with security flaws or, possibly but less likely, be delayed.

The report, released without fanfare last Friday, found that the Centers for Medicare & Medicaid Services or CMS - the agency within HHS that is running Obamacare - had set a May 13 deadline for its contractor to deliver a plan to test the security of the crucial information technology component.

A test was to have been performed between June 3 and 7. But the delivery deadline slipped and the test - assessing firewalls and other security elements - is now set for this week and next.

Michael Astrue warned about the privacy problems inherent in the Obamacare exchanges in a recent issue of THE WEEKLY STANDARD:

After enactment of the ACA, the former administrator of the Centers for Medicare and Medicaid Services (CMS), Donald Berwick, had the responsibility of creating systems for the exchanges, which required peripheral support from the Social Security Administration (SSA) and the Internal Revenue Service (IRS). Congress did not appropriate special funding for this initiative, and Berwick was unwilling to shift adequate funds within CMS for this critical project. Berwick then failed to persuade HHS secretary Kathleen Sebelius to spend one penny on this effort from her massive ACA discretionary fund. Berwick also failed to bully SSA into paying for the entire system; he brushed aside the blatant illegality of that approach.

Civil servants at CMS did what they could to meet the statutory deadline​—​they threw together an overly simplistic system without adequate privacy safeguards. The system’s lack of any substantial verification of the user would leave members of the public open to identity theft, lost periods of health insurance coverage, and exposure of address for victims of domestic abuse and others. CMS then tried to deflect attention from its shortcomings by falsely asserting that it had done so to satisfy White House directives about making electronic services user-friendly. 

In reality, the beta version jammed through a few months ago will, unless delayed and fixed, inflict on the public the most widespread violation of the Privacy Act in our history. Almost a year ago both I and the IRS commissioner raised strong legal objections to the Office of Management and Budget (OMB), which has statutory oversight responsibilities for the Privacy Act. As of the time of my resignation as commissioner of Social Security last February, OMB lawyers could not bring themselves to bless a portal in which I could change Donald Trump’s health insurance and he could change mine.

Read the whole thing here.

Recent Blog Posts

The Weekly Standard Archives

Browse 15 Years of the Weekly Standard

Old covers