President Obama has had to acknowledge two big lies of the Affordable Care Act: (1) You could keep your health insurance plan; and (2) the HealthCare.gov website would be fully operational at launch. Unless he acts with urgency, he will also be forced to apologize for assuring us that personal data received by the Department of Health and Human Services are secure.
In its cynical public relations campaign just before the launch of HealthCare.gov a year ago, HHS came up with a clever way of reassuring Americans that they should not hesitate to hand their sensitive data over to a new bureaucracy in shambles. The prelaunch rhetorical trick was to focus on one small part of HealthCare.gov—what HHS calls the “data hub”—and claim that it does not “retain or store Personally Identifiable Information.”
If you define the “data hub” narrowly—as just those electronic communications between agencies to verify specific data the way that the Social Security Administration verifies Social Security numbers for employers—it is arguably a true statement. However, Congress and the media regularly took that statement to apply to the entire federal exchange (unsuccessfully dubbed a “marketplace”), and HHS did not volunteer that it retains detailed personal information on applicants and callers to its toll-free number—whether or not they buy insurance through the federal exchange. HHS also did not volunteer the fact that it solicits personal data from states that chose not to participate in HealthCare.gov.
HHS established a system for storing Affordable Care Act data long before the launch of HealthCare.gov. In late 2011, HHS awarded a contract to a tiny company called IDL Solutions to provide data storage and analysis of data obtained from the public through the federal exchange. The six-year $59 million contract was huge—and probably overwhelming—for a company with less than $20 million in annual revenue, and, with that windfall in hand, IDL Solutions soon sold itself for “an undisclosed amount” to one of the largest Beltway contractors, CACI.
HHS calls the system that CACI now manages “MIDAS” (Multidimensional Insurance Data Analytics System). A senior CACI executive has publicly described MIDAS “as the central repository for health insurance coverage.”
While HHS has been secretive about MIDAS, this central repository contains more than just the names, addresses, incomes, and Social Security numbers of millions of Americans. It also includes data of great value to cybercriminals, such as telephone numbers and email addresses. Moreover, according to a publicly available draft document of the National Archives and Records Administration, MIDAS includes notes on conversations between teleservice employees and callers to HealthCare.gov’s toll-free number.
At least six subcontractors now help run MIDAS, and one of them, the American Institutes for Research (AIR), recently solicited Affordable Care Act data from states unconnected to HealthCare.gov so that it could do with those data whatever it is doing with the federal data. AIR’s requested data elements include: name, address, phone number, mailing address, citizenship status, age, gender, race, primary language, and a description of the health plan the person selected. What this solicitation means is that HHS and its contractors collect data on people who never contacted HHS and never gave permission for the federal government to access their data, much less share it widely among contractors and then store it permanently with one or more of those contractors.
Combine a massive amount of data stored in an unaudited contractor’s servers with an insecure website that stores data in other locations and you have a security breach waiting to happen—one that could damage millions of Americans. This summer HHS suffered an embarrassing breach of HealthCare.gov; it was not a sophisticated cyberattack by a foreign government or criminal enterprise—it was apparently garden-variety malicious software roaming the Internet that happened to wander into a haplessly managed peripheral section of HealthCare.gov.
As I and others predicted last year, this part of HealthCare.gov was easily penetrated, and its security systems were so deficient that it took months for HHS to recognize the penetration. The Government Accountability Office reported on September 16 that HHS had not “fully addressed security and privacy management weaknesses, including having incomplete security plans and privacy documentation, conducting incomplete security tests, and not establishing an alternate processing site to avoid major disruptions.” The GAO report also found that HHS had not followed Office of Management and Budget government-wide guidance for assessing the privacy risks of MIDAS.
On September 23 HHS inspector general Daniel Levinson roused himself long enough to concur with the gist of the GAO report, albeit tepidly. Levinson’s lackadaisical report tried to spin the situation more favorably for HHS, but his report’s key finding was that his staff was able to breach the system and—even more damningly—HHS did not detect that breach.
Levinson’s lack of leadership as HHS inspector general has aggravated the security problems of the Affordable Care Act. When Donald Berwick, the former administrator of HHS’s Centers for Medicare and Medicaid Services, was bungling the early development of HealthCare.gov, Levinson should have stepped in with detailed audits and made the chaos clear to Congress and the president.
Levinson failed in that duty, and the chaos continued at great cost to the public and to President Obama’s legacy. Levinson’s only report on the security of HealthCare.gov before last month’s report was a few pages released on the eve of the website’s launch; it can be summarized as “HHS refused to turn over documents, but they assure us everything is fine.” Moreover, when 47 inspectors general bravely went public with their concern that this increasingly Nixonian administration was illegally withholding documents necessary for effective oversight of federal programs, Levinson declined to join that protest even though his 2013 HealthCare.gov report described HHS’s refusal to disclose any key documents.
Levinson compounded his failures in the September 23 report by noting in the fine print that his office will eventually audit MIDAS; he did not specify when. That task should have been completed over a year ago; one has to ask whether Levinson has the backbone to challenge CACI, a highly influential player in the world of federal contracting. MIDAS is not the only location where HHS is storing personal data of individuals, but it is a critically important one, and Levinson is dithering again while HHS dithers on cybersecurity.
President Obama should learn from his mistake of trusting his dishonest appointees at HHS, and he should know by now that Americans are more forgiving when an apology is unforced. His legacy will be further damaged if he lets HHS stay on its crooked course. The president’s statement should come as soon as possible and it should sound something like this:
I want to apologize again for incorrectly assuring Americans that HealthCare.gov was ready for launch and that all Americans would be able to keep their insurance plans. I recognize, too, that many Americans lost valued physicians when they lost their insurance plans, and I regret that result as well.
Today I also want to acknowledge that the data held by HealthCare.gov are not as secure as HHS told both you and me. I accept responsibility for that failure and apologize for it. Furthermore, I am taking these actions: (1) I have accepted the resignation of HHS inspector general Daniel Levinson. (2) I am directing the acting HHS inspector general to prepare a report within the next 100 days for me and the relevant congressional oversight committees that lists all locations where HHS collects personal data pursuant to the Affordable Care Act and a list of all the organizations and individuals with access to those locations. I am further directing the acting inspector general to develop a schedule for promptly performing security audits at each location where personal data are stored. (3) I am directing the HHS secretary to suspend collection of personally identifiable information from states that operate their own health exchanges until such time as the attorney general has advised me that collection of these data is fully consistent with all requirements of federal law.
As painful as this statement will be, it is less painful than the one that would be required after a theft of personal data from HealthCare.gov.
Michael Astrue served as HHS general counsel (1989-1992) and commissioner of Social Security (2007-2013).
© 2014 Weekly Standard LLC. Reprinted with permission.