Chief Information Security Officer for Obamacare: I Told HHS the Website Wasn’t Safe

David Inserra /

According to news reports, a government security expert at the heart of Healthcare.gov told Members of the House Oversight Committee that she informed HHS that the website was too dangerous to use.

In the days leading up the Obamacare rollout, Teresa Fryer, the Chief Information Security Officer at the Centers for Medicare and Medicaid Services (CMS), which oversees Healthcare.gov, recommended “a denial of Authority to Operate (ATO)” because she viewed it as “a high risk.” Despite her expertise on security issues and her responsibility for the security of the website, Fryer’s multiple warnings were overruled by her superiors.

As a result, the website went forward, not only with crippling errors that stopped the website cold, but also with critical security risks. The government defines a “high risk” as that which could have a “severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.” While a CMS spokesperson has said that the security measures are in place and no successful attacks have occurred, Fryer knows the truth of cybersecurity: You may have been hacked or have a serious vulnerability in your system and not even know about it. These “unknown risks” can’t be fixed or mitigated because no one even knows they exist.

So not only were there known “high risks,” but the system wasn’t even fully tested to find other potential threats. Indeed, since the website launched, Fryer said that other “moderate” and “low” security risks were found, and others may still be out there.

Armed with this knowledge of known and unknown threats, Fryer reportedly recommended that the website not go live. Fryer not only told her boss, the now-retired Chief Information Officer of CMS Tony Trenkled, but she also briefed Secretary of Health and Human Services Kathleen Sebelius’s top information officers including Healthcare.gov’s chief project manager, HHS’s chief information security officer, and the HHS Deputy Assistant Secretary for Information Technology. They decided to ignore her warnings, despite the potentially “catastrophic” danger that it posed to Americans’ personal information.

Perhaps even worse, Secretary Sebelius testified before Congress on Oct 30 and told Congress that “I can tell you that no senior official reporting to me ever advised me that we should delay. We have testing that did not advise a delay. So not—not to my knowledge.”

This means one of two things: Either Secretary Sebelius did know and lied to Congress, or her staff is incredibly incompetent for not informing her of a risk of this magnitude. With consistent disregard for the rule of law and Americans’ security, privacy, and wallets, it should be clear that Obamacare is wrong for the U.S.