Republican committee leaders in the Senate and House today asked the administration for information about the 316 security breaches on HealthCare.gov catalogued in a new report released by the nonpartisan government watchdog, the Government Accountability Office (GAO). Between October 2013 to March 2015, HealthCare.gov had 316 security incidents, including 41 which involved personally identifiable information.
The GAO reported that HHS does not have complete records of how many people these incidents impacted and whether impacted individuals were notified. The letter sent to HHS Secretary Sylvia Burwell and Centers for Medicare & Medicaid Services Acting Administrator Andy Slavitt is seeking information specifically about the report findings that between October 2013 to March 2015, HealthCare.gov had 316 security incidents, including 41 which involved personally identifiable information.
The letter was sent by Senate Health, Education, Labor and Pensions Committee Chairman Lamar Alexander (R-Tenn.), Senate Finance Committee Chairman Orrin Hatch (R-Utah), House Energy and Commerce Committee Chairman Fred Upton (R-Mich.), House Ways and Means Committee Chairman Kevin Brady (R-Texas), House Oversight and Government Reform Committee Chairman Jason Chaffetz (R-Utah), Senate Judiciary Committee Chairman Chuck Grassley (R-Iowa), Senate Commerce Committee Chairman John Thune (R-S.D.) and Senate Committee on Homeland Security and Governmental Affairs, Permanent Subcommittee on Investigation Chairman Rob Portman (R-Ohio).
In the letter Republican committee leaders in the Senate and House wrote: “In order to assist us in fulfilling our oversight responsibilities, please send us a list and description of every security incident involving HealthCare.gov since October 2013, including how many individuals’ records were compromised, whether the incident involved personally identifiable information, and whether the affected individuals were notified. Please also send the HHS Breach Response Team’s charter and Standard Operating Procedures, its annual reports since 2013, the CMS breach response plan, and the after-action reports for each security incident.
“If HHS did not inform affected individuals, we urge you to change that policy immediately.”
The leaders, who had previously requested information from the administration about the website’s security, told Secretary Burwell they were concerned that they had not earlier been informed of the security breaches.
The leaders have requested a reply by April 6, 2016.