Sharyl Attkisson revealed on Monday's CBS Evening News that the Obama administration had prior knowledge of HealthCare.gov's numerous security flaws, but went ahead anyway with its October 1, 2013 launch. Attkisson spotlighted a government memo that outlined "important security risks discovered in the insurance system....The memo said, 'The threat and risk potential to the system is limitless'."
The correspondent also obtained a partial transcript of a closed-door congressional hearing, where HealthCare.gov's project manager claimed that he was unaware of this memo, and that he "testified he'd been told the opposite" about the website's security risks. [MP3 audio available here; video below]
Anchor Scott Pelley teased Attkisson's report by trumpeting that "a major security failure was known before the health care website went live". Just before the segment, Pelley stated that "the project manager in charge of building the federal health care website was apparently kept in the dark about serious failures in the website's security".
The CBS journalist continued with what Henry Chao of the Centers for Medicare and Medicaid Services disclosed in his testimony:
SHARYL ATTKISSON (voice-over): Henry Chao, HealthCare.gov's chief project manager at the Centers for Medicare and Medicaid Services, gave nine hours of closed-door testimony to the House Oversight Committee...In excerpts we've obtained, Chao was asked about a memo that outlined important security risks discovered in the insurance system. Chao said he was unaware of this September 3 government memo, written by another senior official at C.M.S. It found two high-risk issues, which are redacted for security reasons. The memo said, 'The threat and risk potential to the system is limitless'.
The memo shows C.M.S. gave deadlines of mid-2014 and early 2015 to address them. But Chao testified he'd been told the opposite: 'What I recall is what the team told me – is that there were no high findings.' Chao testified security gaps could lead to identity theft, unauthorized access, and misrouted data. According to federal standards, high risk means 'the vulnerability could be expected to have a severe or catastrophic adverse affect on organizational operations, assets, or individuals'.
It was Chao who recommended it was safe to launch the website October 1. When shown the security risk memo, Chao said, 'I just want to say that I haven't seen this before'. A Republican staff lawyer asked, 'Do you find it surprising that you haven't seen this before?' Chao: 'Yeah. I mean, wouldn't you be surprised if you were me?' He later added, 'It is disturbing. I mean, I don't deny that this is a fairly nonstandard way' to proceed.
Near the end of the segment, Attkisson pointed out that "the author of the security memo – Tony Trenkle – retired from C.M.S. last week. No reason was given."
Six days earlier, on the November 5, 2013 edition of CBS This Morning, correspondent Jan Crawford documented the "several flaws" with HealthCare.gov that "could expose your personal information" to hackers, contrary to the Obama administration's claims that "information is protected by stringent security standards".