Kathleen Sebelius apologized for the poor performance of the Obamacare website during a three-and-a-half hour grilling by Congress today, but the Health and Human Services secretary was forced to defend healthcare.gov against growing concerns that it may expose the private information of millions of users to hackers and identity thieves.
“Don’t you think you had the obligation to the American people to tell them we’re going to put you in this system, but beware, your information is likely to be vulnerable?” Rep. Mike Rogers, R-Mich., asked Sebelius.
Rogers cited a memo written to Medicare head Marilyn Tavenner just days before the site’s Oct. 1 launch that said security testing was not completed, and asked if Sebelius would commit to shutting down the system for a security test.
Sebelius said that HHS officials were taking steps to tighten security and that final authority to operate the website “on a permanent basis” will not be signed until that is completed.
“(Testing) is underway right now,” said Sebelius. “(D)aily and weekly monitoring and testing is underway.”
The Sept. 27 memo, obtained by NBC News, warned the head of Medicare that a private contractor had not completed testing of the site, exposing “a level of uncertainty that can be deemed as a high risk.”
In a statement, a spokesperson for the Department of Health and Human Services told NBC News, “When consumers fill out their online Marketplace applications, they can trust that the information they’re providing is protected by stringent security standards and that the technology underlying the application process has been tested and is secure.”
Cybersecurity expert Alex McGeorge said that the government’s responses Wednesday were not reassuring.
“This is a very, very enticing target for attackers because it’s very simple to turn personal identifying info into hard currency,” said McGeorge. “You have to weigh the privacy risks of, ‘I'm going to put all my information with the government in this one basket in order to receive healthcare.’ And one of the risks that you take is well, if it's all in one basket, it could be stolen from that basket.”
In an interview with NBC News, a former top government official raised his own questions about the site’s security, and about the healthcare.gov’s privacy protections. Michael Astrue, the Bush appointee who served as head of the Social Security Administration from 2007 until early this year, said that the Obama administration exempted the website from many federal privacy protections, potentially making the personal data on healthcare.gov accessible to a range of government and private entities, including the Department of Homeland Security to credit agencies.
“There were shortcuts taken on the information technology,” said Astrue, “and there were shortcuts taken in terms of adherence to the laws that protect our rights.”
According to Astrue, concerns about privacy protections were the subject of debate within the administration before launch. But Astrue said that his warnings that the site’s design should not contravene the Federal Privacy Act were ignored. “I was extremely upset,” said Astrue. “First of all they were violating the statute. Second, there would be real world consequences for Americans.”
Three weeks after healthcare.gov launched, administration officials granted 13 exemptions to the Privacy Act permitting sensitive personal data being entered into healthcare.gov and the state health insurance exchanges to be shared with agency contractors, consultants, the Department of Homeland Security, state and local governments, employers and family members. The exemptions are displayed in fine print on healthcare.gov.
Astrue said that credit agencies will also be able to access the data, and the category of family members could include estranged spouses. He said estranged spouses could conceivably use the system to confirm an address.
Administration officials said the exemptions are essential – to determine if people qualify for health insurance subsidies – and that they have taken important precautions, including encrypting data, to protect security.
But Astrue says that in the race to make the deadline the administration jeopardized privacy protection.
“Many of their systems were put up quickly, shoddily, and tied together shoddily,” said Astrue. “It’s a hacker’s dream.”
Deborah Peel, a doctor who heads the advocacy group Patient Privacy Rights, shares Astrue’s alarm about access to the personal information on the government sites.
“There's a hidden army of government and industry and corporations that are going to also be accessing and using our data and that's scary," said Peel. "We don't know who they are. We need to at a minimum be able to have real time lists of who's looking at our information and why."
Astrue said he talked to senior officials at the Health and Human Services Dept., the White House and the Office of Management and Budget about potential privacy problems. When he raised privacy concerns, however, he said that the officials, including top aides to Sebelius, pointed to the Oct. 1 roll-out date for the Affordable Care Act.
They reacted with a “shrug,” he said. “’You know we’re going to hit Oct. 1.’ That was the mantra.”
More from NBC News Investigations: