Officials were warned about health site woes

By Sharon LaFraniere and Eric Lipton, New York Times News Service

Tuesday, Nov. 19, 2013 | 8:59 a.m.

WASHINGTON — Senior Obama administration officials, including several in the White House, were warned by an outside management consultant early this year that the effort to build the HealthCare.gov site was falling behind and at risk of failure unless immediate steps were taken to correct the problems, according to documents released by House investigators.

The report, by McKinsey & Co., which was prepared in April at the request of the Department of Health and Human Services, said that management indecision and a “lack of transparency and alignment on critical issues” were threatening progress, despite the tight deadline.

The McKinsey report found that the effort was at risk because of issues including “significant dependency on external parties/contractors,” as well as “insufficient time and scope of end-to-end testing,” and “parallel stacking of all phases,” all predictions that have turned out to be accurate.

Briefings on the report were held in the spring at the White House and at the headquarters of the Health and Human Services Department and for leaders at the Centers for Medicare and Medicaid, congressional investigators said.

“The administration was on track — on track for a disaster — and yet officials refused to be transparent with the Congress and the American people,” said Rep. Fred Upton, R-Mich., the committee chairman.

The latest evidence detailing the troubled startup of the website came as Obama administration officials said that as of mid-November, the number of enrollees, who had selected a marketplace plan, was more than 50,000 — up from 27,000 in the entire month of October but still a fraction of the number the administration once hoped for.

Despite the progress, specialists are worried about whether they can meet the administration’s goal of enabling 4 in 5 users to enroll through the online federal exchange, HealthCare.gov, by the end of the month. One person familiar with the effort said a more realistic goal was that 4 out of 5 people “have a positive experience,” which could include being redirected to customer service agents.

White House officials said Monday that many of the remaining users would turn to call-in or counseling centers because their insurance situations were complicated. But specialists involved in the repair effort said technical issues may frustrate more users than administration officials suggest. And it is unclear how many fixes remain to be made, because the list keeps changing.

White House officials and some computer experts say much of the criticism is overblown, designed more to scare would-be enrollees away from the insurance exchanges. But the concern is bipartisan. At a closed-door meeting last week, two Democratic senators pressed administration officials on efforts by Chinese hackers to break into the site, according to a Democratic Senate official at the meeting.

The computer security question may be particularly delicate. The federal insurance website collects a broad range of personal information, including applicants’ Social Security numbers, addresses, emails, income and health information.

House Republicans have latched on to a final report by Mitre Corp., one of the main firms hired to assess the security of the site, which said Oct. 11, 11 days after the site went live, that it was “unable to adequately test the confidentiality and integrity” of the health exchange. Mitre went on to say that a “complete end-to-end testing” of the site “never occurred.”

Jason Providakes, Mitre’s senior vice president and general manager, will put some distance between his company and that assessment in a hearing before the House Energy and Commerce Committee, one of the two hearings scheduled for Tuesday.

“We were not asked, nor did we perform ‘end-to-end’ security testing,” he will say, according to written testimony posted in advance of the hearing. “We have no view on the overall ‘safety’ or security status of HealthCare.gov.”

That is not likely to stop the law’s opponents from passing their own judgment.

“Unfortunately, in their haste to launch the website, it appears the Obama administration cut corners, leaving the site wide open to hackers and other online criminals,” said Rep. Lamar Smith, R-Texas, chairman of the House Science, Space and Technology Committee, which will hold the other hearing.

Documents show that as recently as September, senior Health and Human Services officials were worried about the vulnerability of the system to security threats.

When the health care exchanges first opened for business, there was an important vulnerability that could have allowed hackers to try to hijack users’ accounts by resetting their passwords. But federal officials fixed that problem the same day they learned about it, after it was pointed out to them by Ben Simo, a software engineer and tester from Arizona.

Some vulnerabilities still existed through mid-November, Simo said. For example, the enrollment system sent consumers their username and account activation code in a single message, which could potentially be intercepted.

That combination has led to repeated warnings, and a continued focus at congressional hearings on the possibility that hackers might gain access to private, personal data.

As of last week, the Homeland Security Department had received reports of 16 attempted cyberattacks, all of which it was investigating.