The Democratic minority of the House Committee on Energy and Commerce said Thursday that there have been no successful attacks on Healthcare.gov.
The minority released its findings ahead of a scheduled Friday House vote on Republican-sponsored H.R. 3811, the Health Exchange Security and Transparency Act, which would require that the Department of Health and Human Services notify individuals within two days of a known security breach of the Healthcare.gov website.
The Republican majority says that because the exchanges were not fully built prior to October 1 that open enrollment launched before HHS conducted a full security control assessment.
This lack of complete end-to-end security testing led to a memo written to CMS Administrator Marilyn Tavenner explaining, from a security perspective, the aspects of the system that were not tested due to the ongoing development, exposed a level of uncertainty that can be deemed as a high risk, the majority says.
In a memo to Democratic members and staff, the ranking members of the committee say that Healthcare.gov does not collect or store detailed personalized health information and HHS already has in place protocols for informing affected citizens as rapidly as possible in the event of a security breach.
No breaches
The memo, signed by Energy Committee Ranking Member Rep. Henry Waxman (D-Calif.) and House Committee on Oversight Ranking Member Rep. Elijah Cummings (D-Md.) says that HHS briefings on Dec. 11, 2013 and Jan. 7 which were classified say that no person or group has maliciously accessed any personally identifiable information from users.
No data storage
According to the memo, the website does not collect detailed information about the health status of consumers. Instead, applicants submit a limited amount of information, such as their names, addresses, income levels, and the number of family members to be covered.
Notification
Further, the memo states that pursuant to the Federal Information Security Management Act, the Privacy Act, and requirements set forth by the Office of Management and Budget, HHS is already required to notify consumers of any breaches.
