Dear Secretary Azar:
On Friday, Oct. 19, 2018, the Centers for Medicare & Medicaid Services (CMS) notified the Committee of a breach of a system associated with healthcare.gov, the website created for Obamacare enrollment. According to CMS, the breach affected approximately 75,000 individuals through the Direct Enrollment pathway for agents and brokers of the Federally-facilitated Exchange. This breach follows CMS’s history of reported security weaknesses with the healthcare.gov web portal and supporting systems. Previous congressional oversight showed how CMS launched healthcare.gov in 2013 despite vulnerabilities that put the personal information of Obamacare enrollees at risk.
The Committee has jurisdiction over federal information systems and the Federal Information Security Management Act of 2002 (FISMA). To assist the Committee in its oversight of the breach affecting healthcare.gov, I respectfully request the following information:
1. Please provide the date and time by which the first indicator of compromise (IOC) was identified and who identified this initial IOC (i.e., CMS personnel or contractors, or law enforcement entities).
2. Please provide the date on which CMS notified the Office of Inspector General and law enforcement.
3. Please describe the type of personally identifiable information (PII) affected, and how CMS determined that the 75,000 was the universe of individuals affected. Does CMS believe this to be the full exposure, or is 75,000 CMS's initial estimate?
4. Please provide a copy of CMS's notification to U.S. Computer Emergency Readiness Team concerning the initial IOC.
5. Please provide the date on which the bad actor(s) were expunged from the system; log information sufficient to indicate how long these bad actor(s) had access to CMS or HHS system(s) and also individuals’ PII; and CMS's current assessment as to whether all bad actor(s) have been expunged from CMS and HHS systems.
6. Has CMS notified the 75,000 people who have had their sensitive information compromised? Does CMS intend to offer any credit monitoring or protection to these individuals?
7. Please produce all documents or communications referring or relating to the breach of healthcare.gov’s Direct Enrollment pathway.
In addition to responses to the above, I respectfully request a briefing for Committee staff. Please provide a response as soon as possible but no later than 5:00 p.m. on Oct. 30, 2018.
The Committee on Homeland Security and Governmental Affairs is authorized by Rule XXV of the Standing Rules of the Senate to investigate “the efficiency, economy, and effectiveness of all agencies and departments of the Government." Additionally, S. Res. 62 (115th Congress) authorizes the Committee to examine “the efficiency and economy of operations of all branches and functions of Government with particular references to (i) the effectiveness of present national security methods, staffing, and processes…."
If you have any questions about this request, please ask your staff to contact Elliott Walden of the Committee staff at (202) 224-4751. Thank you for your attention to this matter.
Source: U.S. Senate Committee on Homeland Security and Governmental Affairs
