His March 25 letter, which was sent to other states in addition to Oregon, cites "serious questions about the decision-making of both federal and state officials prior to the website's launch."
Health insurance exchange officials concede that they've still not received final federal approval of Cover Oregon's data safeguards. But they defend their handling of website security and cite documents showing the exchange received preliminary federal approvals in September.
"Cover Oregon takes the security of our customer's personal information very seriously and have met or exceeded all applicable industry standards," said Cover Oregon communications director Amy Fauver. "In addition, we have instituted the same controls as federal and state offices that handle personal information."
As for a federally required independent security assessment, Oregon "did a significant portion" of that assessment before hooking up to the federal data hub set up for exchanges, showing the most sensitive information was protected, Fauver said. Cover Oregon's full security assessment was provided to the federal government on March 31 -- the last day of a six-month deadline extension -- and is still undergoing federal review.
Fauver said the site has had no electronic security breaches, and pointed to a Sept. 20, 2013 letter from the IRS that granted partial approval of Cover Oregon's protection of federal tax information, as well as the federal government's Sept. 27 approval Sept. 27 approval of the exchange's "authority to connect" to the federal data hub for sharing personal information.
This is not the first time critics of the Affordable Care Act have raised questions about personal data security, and defenders of the law have accused them of seeking to undermine its success.
Issa already has invited several officials from troubled exchanges to testify in an April 3 hearing, though not about data security. Testimony submitted by Gov. John Kitzhaber adviser Greg Van Pelt says that after a "bumpy" start, the exchange has helped enroll 175,000 people using workarounds to bypass the troubled technology.
Issa's five-page letter outlining data security concerns cites provocative federal documents. For instance:
On Sept. 18 a federal security consultant warned that allowing exchanges to connect to the federal data hub before full review and security approval puts the personal information of "millions of users at risk of identity theft."
On Sept. 27 a security reviewer for the CMS Chief Information Security Officer appears to have rated Cover Oregon as "high" risk, in part because of the lack of an independent security assessment to validate the exchange's data safeguards. In all 35 states were deemed high risk, Issa said.
Cover Oregon officials considered security breaches a real concern, but their efforts to safeguard the site faced challenges, according to documents obtained under Oregon Public Records Law.
In December 2012, Cover Oregon's former executive director Rocky King sent his top IT manager, Aaron Karjala, an article about a former hacker now working on data security, and suggested Cover Oregon hire someone like that. Karjala responded that a security audit was already in the budget, calling it "very important."
In February 2013, Cover Oregon attempted to hire Marlin Pohlman, a computer technology consultant, to do a $125-an-hour security assessment. However, he was arrested weeks later for drugging and abusing four women and sentenced to six years in prison.
On June 27, 2013, consultant John Cvetko warned King that the exchange's worsening technological problems added to its vulnerabilities, and the exchange may be considered a "high value political target" by hackers.
Cover Oregon hired its consultant, Maximus, to launch a security testing program on Aug. 2, 2013. But the effort was delayed when its main IT vendor, Oracle Corp., refused to grant access to crucial portions of the site, documents show. The company finally relented and granted the testers access on Sept. 19, less than two weeks before the exchange was supposed to go live.
A security assessment completed by Maximus on Sept. 20 shows that much of the required security testing remained unfinished. Of 182 required security controls, 66 had been reviewed. Moreover, of 121 security testing programs or "scripts" needed to bulletproof the system, only 13 had been tested, and four failed.
Cover Oregon officials said Wednesday they could not release the final March 31 Maximus security assessment without a full legal review.
©2014 The Oregonian (Portland, Ore.)
