Henry Chao, HealthCare.gov’s chief project manager at the Centers for Medicare and Medicaid Services (CMS), gave nine hours of closed-door testimony to the House Oversight Committee in advance of this week’s hearing.
…Chao said he was unaware of a Sept. 3 government memo written by another senior official at CMS. It found two high-risk issues, which are redacted for security reasons. The memo said “the threat and risk potential (to the system) is limitless.” The memo shows CMS gave deadlines of mid-2014 and early 2015 to address them
…It was Chao who recommended it was safe to launch the website Oct. 1. When shown the security risk memo, Chao said, “I just want to say that I haven’t seen this before.”
A Republican staff lawyer asked, “Do you find it surprising that you haven’t seen this before?”
Chao replied, “Yeah … I mean, wouldn’t you be surprised if you were me?” He later added: “It is disturbing. I mean, I don’t deny that this is … a fairly nonstandard way” to proceed.
This proves that it was a complete and utter lie when the HHS said that they believed the site was safe for launch October 1st and that they could just fix it as time went on. This memo said it would take at least 9 months at the earliest to fix “unlimited security threats”.
As it turns out, the memo was written by — ta da — Tony Trenkle, lead tech officer for Healthcare.gov who left last week under mysteriously vague circumstances. As CBS reported, Trenkle himself never signed off on security for the site in September; it was his boss, Marilyn Tavenner, who signed the authorization, supposedly because she thought that a project this big should carry the John Hancock of the head of CMS. Is that the truth, or did Trenkle refuse to sign because he knew the site’s security was a travesty and couldn’t in good conscience authorize launching it? The fact that he wrote such a dire memo about “limitless” risk suggests that he knew the extent of the problem — and yet, if you believe Chao, that information somehow never made its way to the project manager. Why? Why are there so many unorthodox procedures related to approval of the site’s security here? Did Tavenner, at least, see Trenkle’s memo before she authorized the launch or was it withheld from her too? If she did see it, why didn’t she tell Obama and Sebelius that security was too weak to justify rolling it out now?
I assume CMS will try to pin all of this on Trenkle by claiming he didn’t do enough to warn his superiors about how bad things were. And yet the fact remains: He wrote the memo. He wanted someone to see it.
So who is to blame here? Seeing as how the memo found its way to Congress I’m sure it wouldn’t take that much legwork to find out how far up that memo went, and who suppressed it or who ordered it suppressed.