Tipsheet

Uh oh: Healthcare.gov's Back End Flaws, Data Security Problems Worse Than Expected


The White House's second premature victory lap of the Obamacare saga looks even more ill-advised upon further review. As the administration crows about attracting one million visitors to Healthcare.gov yesterday, new questions about the website's security functions and end-to-end efficacy have arisen. Boasting about high interest in a product that people are required by law to purchase is the stuff of parody -- especially when legions of potential consumers are currently in desperate need of 2014 coverage for the sole reason that their previous arrangements were canceled by the new law, in direct violation of the president's repeated assurances. The administration is once again chalking their web traffic up as a win, even as insurers warn that Healthcare.gov's back end is still dysfunctional, and despite the fact that high volume led to error messages for tens of thousands of visitors. During a testy conference call with reporters yesterday, a government spokesperson refused to answer numerous questions about the frequency of the so-called 834 errors that have marred the insurer side of Healthcare.gov transactions. Today the Washington Post reports that these and other flaws have been alarmingly pervasive, and could result in "signed up" citizens not receiving the coverage they mistakenly think they've secured:


The enrollment records for a significant portion of the Americans who have chosen health plans through the online federal insurance marketplace contain errors — generated by the computer system — that mean they might not get the coverage they’re expecting next month. The errors cumulatively have affected roughly one-third of the people who have signed up for health plans since Oct. 1, according to two government and health-care industry officials. The White House disputed the figure but declined to provide its own. The mistakes include failure to notify insurers about new customers, duplicate enrollments or cancellation notices for the same person, incorrect information about family members, and mistakes involving federal subsidies. The errors have been accumulating since HealthCare.gov opened two months ago, even as the Obama administration has been working to make it easier for consumers to sign up for coverage, the government and industry officials said. Figuring out how to clean up the backlog of errors and prevent similar ones in the future is emerging as the new imperative if the federal insurance exchange is to work as intended. The problems were the subject of a meeting Monday between administration officials and a new “Payer Exchange Performance Team” made up of insurance industry leaders.


Katie has more on this story here. Because the administration made the political decision to make fixing the front end a priority -- thus cutting down on public frustration, and shoving the remaining problems behind a curtain -- the spigot is about to be turned on, to one extent or another. Are these error-prone computer systems prepared to handle the stampede? If not, how will insurers handle a big wave of flawed data? And how will it be sorted out by December 23, the final cut-off to have coverage by January 1? One of the biggest emerging concerns is the growing list of stories about individuals who believed they'd successfully enrolled, only to discover that their insurance company has no record of them. Insurers are justifiably nervous:


Insurance companies are still waiting for key parts of HealthCare.gov to be built—and still having trouble with the parts that are in place. Important pieces of the Obamacare site are still glitchy, or missing altogether. And the site’s botched rollout is hardly boosting confidence in the vital components that still need to be built, including the systems for processing payments to insurers and squaring away the details of who has enrolled in which plans. Both systems are crucial to the insurance industry, which needs to collect premiums so it can pay out claims. And carriers are still waiting for the delayed process of reconciling their enrollment information with the federal government’s data. As the rest of HealthCare.gov struggles to get off the ground, people in and near the insurance industry are nervous about the delays and about how well those systems will work once they’re in place...Another cause for insurers’ anxiety: CGI Federal—the contractor that has come under fire for its work building the bulk of HealthCare.gov—is also in charge of building the payment and reconciliation systems.


What could go wrong? Snark aside, back end performance isn't the only red flag garnering attention today. Data security weaknesses continue to plague Obamacare's systems, erecting another obstacle to successful enrollment. If people don't believe their sensitive information is safe, they're far less likely to roll the dice and plug in Social Security numbers and financial data into the federal (and state level) exchanges. One expert hacker tells CNBC that Healthcare.gov is woefully under-protected and wonders what, if any, measures were originally built into the website's structure:


It could take a year to secure the risk of "high exposures" of personal information on the federal Obamacare online exchange, a cybersecurity expert told CNBC on Monday. "When you develop a website, you develop it with security in mind. And it doesn't appear to have happened this time," said David Kennedy, a so-called "white hat" hacker who tests online security by breaching websites. He testified on Capitol Hill about the flaws of HealthCare.gov last week. "It's really hard to go back and fix the security around it because security wasn't built into it," said Kennedy, chief executive of TrustedSec. "We're talking multiple months to over a year to at least address some of the critical-to-high exposures on the website itself."


But Kathleen Sebelius "feels like" Obamacare's web system is locked up nice and tight, so consumers shouldn't worry. Surely Team Obama has solid reasons for denying media requests for increased access to the administration's data security efforts, and stonewalling Congress:



"CMS and HHS -- the two groups who are responsible for the Healthcare.gov website -- couldn't even provide someone in a classified setting to come up [to Congress] to talk about the breaches which they know have happened ... [The White House] is encouraging people to go to a site that our own government knows doesn't meet safety standards when it comes to security of private information."


Rep. Rogers is correct that these actions are unconscionable, but they're not surprising in the least. One of the primary reasons Healthcare.gov is in its current mess is because Obama's brain trust deliberately postponed key components of development until after the 2012 election, then worked in secret -- bending over backward to deny Republicans any hint of bad news that might have been exploited politically. Obama's obsession with partisanship and news cycles hamstrung his own signature initiative, and continues to put Americans' private data at severe risk. The president is about to embark on another grand tour of speechifying about how terrific Obamacare is. Will he mention that the non-functional website he's exhorting Americans to visit isn't secure?


UPDATE - The Treasury Department's Inspector General has concluded that Obamacare's anti-fraud mechanisms are insufficient:


In a newly released report, the Treasury Inspector General for Tax Administration concluded that the system for calculating subsidies for individuals to purchase insurance through President Obama's health care law didn't have adequate measures in place to minimize security risks and prevent fraud. Failure to address the issues could result in tax fraud and the issuance of “erroneous refunds,” the report warned.


In a related story, President Obama is going to deliver an upbeat speech about Obamacare later this afternoon.