Security Documents Show HHS Downplayed Vulnerabilities Prior to Launch

Published: Dec 17, 2013

Issa Accepts White House Offer to Meet with Sebelius

WASHINGTON – Today, after reviewing security documents produced by one of the site’s contractors, MITRE, House Oversight and Government Reform Committee Chairman Darrell Issa, R-Calif., sent a letter to HHS Secretary Kathleen Sebelius to accept a meeting offer made by the White House to discuss concerns about both the decision to move forward with the website launch despite known vulnerabilities and ongoing concerns about site security.

“The full context of MITRE’s assessment, which the Department had in its possession prior to the October 1 launch date, shows that CMS and HHS knew that was vulnerable yet your statements have not given the American people a fair and accurate assessment of known risks,” Issa writes.

“Contrary to the assertion made by the White House, neither I nor anyone on my staff has expressed an unwillingness to meet with you for a discussion about both the ongoing security vulnerabilities noted in the MITRE documents as well as the rationale for proceeding on October 1, 2013,” Issa writes in a letter to Sebelius. “Indeed, my staff repeatedly has told your staff that it would welcome a page by page discussion of the MITRE documents and any concerns about the public release of any information once the documents were properly and fully produced to the Committee.”

“Of the 28 separate security vulnerabilities identified in the October 11 report, MITRE reported that 19 remained unaddressed.  Among the unaddressed security risks that went live on October 1, MITRE indicated eleven ‘will significantly impact the confidentiality, integrity and/or availability of the system or data….’ if the technical or procedural vulnerability is exploited,” the letter states.

“While I am withholding sensitive technical details, one security finding summary states, ‘Any malicious user having knowledge of this can perform unauthorized functions.’  The summary of another discusses a system weakness that makes a particular type of sensitive information vulnerable.  Part of the finding states this, ‘increases the risk that they will be captured by an attacker.’  A third, which the document indicates HHS was supposed to address in the days immediately before launch, ‘The attacker is able to see and edit PII of the victim …’”

You can read Chairman Issa’s complete letter here.