US government refuses to release info on HealthCare.gov site security
Despite ongoing questions about the security of data on the beleaguered HealthCare.gov, the Obama administration refused a request to release information about the computer systems and security software used for the federal website.
The Associated Press filed a Freedom of Information Act (FOIA) request at the end of 2013 with the Centers for Medicare and Medicaid Services (CMS) for documents about the kinds of security software and computer systems behind the federally funded HealthCare.gov. The request came “amid concerns that Republicans raised about the security of the website, which had technical glitches that prevented millions of people from signing up for insurance under President Barack Obama's health care law,” the wire service said.
The website’s rollout was marred by serious glitches and significant downtime. Then, in October, security expert Ben Simo discovered a number of problematic vulnerabilities that he said could have compromised the personal information of potentially millions of Americans.
“There are so many obvious security flaws that I doubt they took security seriously,” Simo, the former president of the Association for Software Testing, wrote on his blog.
At the same time, the Associated Press reported that an internal government memo indicated that Healthcare.gov posted a “high” security risk because a contractor wasn’t able to test the site properly.
AP then filed its FOIA request, asking CMS for a site security plan for HealthCare.gov (meaning the ways to prevent security breaches from occurring). The agency cited the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule in its denial.
The Obama administration promised not to withhold information over "speculative or abstract fears," a presidential memorandum on FOIA requests said. But the executive branch denied AP’s application, saying that releasing the documents could “potentially” allow hackers entrance to the site.
"We concluded that releasing this information would potentially cause an unwarranted risk to consumers' private information," CMS spokesman Aaron Albright said in a statement.
In 2009, Obama issued the directive that “all agencies should adopt a presumption in favor of disclosure” when it comes to FOIA requests. “The Government should not keep information confidential merely because public officials might be embarrassed by disclosure, because errors and failures might be revealed or because of speculative or abstract fears.”
In 2011, the Supreme Court significantly narrowed a provision under open records laws that agencies had used to keep their internal practices under wraps. “Federal agencies have tried to use other, more creative routes to keep information censored” since then, Fox News wrote.
In addition to citing potential health-privacy violations, the government cited FOIA exemptions intended to protect personal privacy and law-enforcement records, although the agency did not explain what files about the health care website had been compiled for law-enforcement purposes.
Some open-government advocates were skeptical. AP reported.
"Here you have an example of an agency resorting to a far-fetched privacy claim in an unprecedented attempt to bridge this legal gap and, in the process, making it even worse by going overboard in withholding such records in their entireties," said Dan Metcalfe, a former director of the Justice Department's office of information and privacy who's now at American University's law school.
Information technology experts call responses like the government’s “security through obscurity.”
"Security practices aren't private information," David Kennedy, an industry consultant who testified before Congress last year about HealthCare.gov's security, told AP.
The wire service has asked the government to reconsider withholding all of the information covered in the FOIA request.
“Attorney General Eric Holder has directed agencies to consider whether parts of the files can be revealed with sensitive passages censored,” AP wrote. “CMS told the AP it will not release any parts of any of the records.”