Image 01 Image 03

Top official unaware of potential security risks

Top official unaware of potential security risks

The chief official responsible for managing the trouble-plagued website project says he was unaware of a memo that outlined several potentially significant security issues before he’d signed off on the recommendation for the website’s launch.

The House Oversight and Reform Committee interviewed Henry Chao, CMS’s top operational official for the project, on November 1st in a closed-door session.  Late Monday, the committee released the following statement and several documents from that interview.

Henry Chao, the Deputy Chief Information Officer and Deputy Director of the Office of Information Services at the Centers for Medicare and Medicaid Services (CMS), testified during a November 1 transcribed interview with Committee investigators that he was surprised he was never made aware of a September 3, 2013, memo outlining serious security vulnerabilities present in the Federal Facilitated Marketplaces (the “exchange”). Chao, CMS’s top operational official for the Federal exchange testified he found it “disturbing” that he had been excluded from a memo about significant problems with security.

The September 3, 2013, memo that Chao testified he had previously never seen was authored by CMS Chief Information Officer Tony Trenkle. The memo noted six security problems, two of which were described as “open high findings.”

Chao initially expressed disbelief when first shown the memo during his transcribed interview. In reviewing the memo, Chao agreed that one finding, “presented a significant risk to the system,” and did not know if it had been corrected.

The statement is followed by several excerpts from the interview, which reveals that “lines of communication about security issues prior to launch may not have been working properly.”

Chao concedes in the interview that it was possible he was simply left off the particular memo in question as an oversight.  But he expressed concern about having not seen the memo and surprise that the Chief Information Security Officer (CISO) would have him recommend the site’s launch without having made him aware of the information.

Specific references to the noted security risks are redacted in the documents for security purposes, so it’s difficult to determine what the impact to the website may or may not have been.

Last week it was reported that Trenkle will be stepping down on November 15th to take a position in the private sector.

According to The Hill, the noted security issues are related to website functionality that isn’t yet active. The House committee’s press release sparked some harsh criticism from a Democratic staffer.

A Democratic Oversight committee staffer said the security issue relates to a function of the website that isn’t currently active and won’t be until early next year.

“It’s hard to understand why anyone would trust the accuracy of Chairman Issa’s press releases when they consistently distort and manipulate the truth,” the staffer said. “The Chairman’s staff basically sandbagged this witness with a document he had never seen before and then failed to inform him that it has nothing to do with parts of the website that launched on October 1.”

“Rather than seeking out the truth, this press release tries to scare the public by capitalizing on confusion caused by the Chairman’s own staff,” the staffer added.

Security has continued to be a primary topic of concern and a point of focus in recent hearings on the website’s rollout.

Previously it was reported that all of the security controls for the website had not been tested in one complete version of the system prior to its launch, prompting a risk mitigation addition that included continued monitoring and testing to occur after the launch.

Last week, Heritage reported the instance of a user who logged onto the system and was presented with an insurance eligibility letter for a total stranger.

Chao is one of several officials scheduled to testify before the House Oversight and Reform Committee in a hearing on the Rollout of on Wednesday.


Donations tax deductible
to the full extent allowed by law.



American Freedom Fighter | November 12, 2013 at 9:28 am

Right…. And when your personal info is stolen, and you have to go through Hell cleaning up your credit, who do you sue? Who do you hold responsible?

The government won’t give a crap, and they certainly won’t allow you to seek damages.

In the immortal words of Joe Wilson – ‘Liar.’

If Congressman Issa has to scare the rats out, so do it.

There is something in general going on with Federal computer software. I have been a contractor for certain Federal projects and as such have to be registered under the DUNS system. This year they changed the system and it is impossible to register, the system will not take the information. The same goes for applying for VA positions over the years. It appears they have messed up something and can’t get it right.

Another “chief offical” “unaware” in the Obama admin. Imagine that.

Empty chairs abound.

Chao, CMS’s top operational official for the Federal exchange testified he found it “disturbing” that he had been excluded from a memo about significant problems with security.

“The Chairman’s staff basically sandbagged this witness with a document he had never seen before and then failed to inform him that it has nothing to do with parts of the website that launched on October 1.”

Where I come from, it’s a firing offense to fail to let the bosses know about oncoming future issues within their area of responsibility. I find it disturbing that some unnamed Democratic staffer (why is this person unnamed?) was allowed to use the excuse that long-standing issues are to be metered out on the basis of due dates. This is a jarring departure from normal procedure in both business and government circles.

Lights are on, nobody’s at home in D.C.

Exception: Barry, for him all is going as planned. Gotta’ hand it to that Alinsky/Gramsci pair. There SHIZZZ, works.

I suspect that at some point over the past 2-3 years the Obama administration was convinced by experts that tightly securing the online infrastructure for Obamacare – the exchanges, credit/debit card payment programs, electronic medical records networks, etc. – would prove impossible, a constant battle against scammers, ID thiefs, hackers, saboteurs, and terrorists. Then there are all the technical screw-ups currently unfolding and more major problems predicted for the very near future.

Obama & Co simply cannot accept that their baby is stillborn.


I’m self-employed, had a BC/BS-NC individual health insurance policy, catastrophic because of inexplicable good health – I haven’t been to the doctor in ten years. $5,000 deductible, 80/20, standard co-pays, etc., after that. Premium: $289/month. Perfectly happy with it. A private contract between two private, once-free parties. Cancelled by the federal government.

Per BC/BS-NC, my cheapest policy under Obamacare rules:
$6,500 deductible. Premium: $619/month.

Comment from BC/BS-NC associate: “Don’t worry too much, those numbers are probably not accurate. We’re still processing rules changes from the government and getting new ones all the time.” How comforting.


Collective name for the millions of people who lost their health insurance because of Obamacare with no way to replace it:



I feel like roadkill.

Not A Member of Any Organized Political | November 12, 2013 at 1:02 pm

Good work Mandy, keep it up!


Curious Statement in Obamacare Website Source Code: “You Have No Reasonable Expectation of Privacy”


Still More on Obamacare Security (Or Lack Thereof); HHS Director Says “Americans Deserve Better”


The biggest problem isn’t the website, its ACA. The website is just an implementation of ACA and runs about exactly how ACA is designed to run, not at all.

I’d actually believe the lack of awareness due to apathy. These people want to get their check and leave as quickly as possible…they simply do not care about anyone or anything.

Has Chao ever been a project manager over a large operation like this, or is he just another leftist academic??