Memo warned of "limitless" security risks for HealthCare.gov
/ CBS News
Henry Chao, HealthCare.gov's chief project manager at the Centers for Medicare and Medicaid Services (CMS), gave nine hours of closed-door testimony to the House Oversight Committee in advance of this week's hearing. In excerpts CBS News has obtained, Chao was asked about a memo that outlined important security risks discovered in the insurance system.
Chao said he was unaware of a Sept. 3 government memo written by another senior official at CMS. It found two high-risk issues, which are redacted for security reasons. The memo said "the threat and risk potential (to the system) is limitless." The memo shows CMS gave deadlines of mid-2014 and early 2015 to address them.
But Chao testified he'd been told the opposite.
"What I recall is what the team told me, is that there were no high findings," he said.
Chao testified security gaps could lead to identity theft, unauthorized access and misrouted data.
According to federal guidelines, high risk means "the vulnerability could be expected to have a severe or catastrophic adverse affect on organizational operations ... assets or individuals."
Watch: HealthCare.gov never received top-to-bottom security test, below.
It was Chao who recommended it was safe to launch the website Oct. 1. When shown the security risk memo, Chao said, "I just want to say that I haven't seen this before."
A Republican staff lawyer asked, "Do you find it surprising that you haven't seen this before?"
Chao replied, "Yeah ... I mean, wouldn't you be surprised if you were me?" He later added: "It is disturbing. I mean, I don't deny that this is ... a fairly nonstandard way" to proceed.
Late Monday, Health and Human Services told CBS News the privacy and security of consumers' personal information are at op priority, and consumers can trust their information is protected by stringent security standards. The author of the security memo, Tony Trenkle, retired from CMS last week; no reason was given.
Pajamas Media | 11/12/2013 | DAVID STEINBERG
Though a sideshow throughout Obamacare’s passage and litigation, Medicaid’s pivotal role in President Obama’s health care reform effort has become apparent following the law’s October 1 implementation. In many states, Medicaid enrollment through the .gov portal is dwarfing the number of “private” insurance plan purchases.
While this development represents a major financial threat to the survival of Obamacare, new regulations established by Obamacare to cover Medicaid enrollment have created a major threat to the United States’ ability to administrate that far larger benefit program.
Following is a summary of the problem:
Non-citizens are eligible for Medicaid and CHIP (Children’s Health Insurance Program). This is not a new development. However, the documentation and verification process for such enrollments was significantly eased by regulations in the Affordable Care Act.
Getting fraudulent applications for Medicaid or CHIP approved is now easier, and thus more likely.
The risk is increased by the security concerns inherent in the Navigator/Assister program. (For background on these concerns, read: http://pjmedia.com/blog/draining-the...ity-nightmare/)
While troubling, final approval of fraudulent applications represents a lesser element of the problem regarding non-citizen enrollment. The greater concern is initial approval:
Applicants attempting to register for Medicaid as non-citizens by using Healthcare.gov will have their identification checked in real-time by the SAVE (Systematic Alien Verification for Entitlements) database. But if SAVE verification fails, the applicant is not prevented from enrolling in Medicaid/CHIP.
In fact, the opposite occurs: the applicant is likely enrolled in Medicaid immediately.
The applicant is then given a 90-day period to clear up the identification problem.
This “enroll first, confirm later” regulation, combined with the ACA’s easing of verification requirements, allows anyone, from a computer anywhere in the world, to successfully auto-enroll for 90 days of Medicaid by entering fraudulent information about being a certain category of legal alien living in the United States.
There is no guarantee that state governments will take action to cancel these enrollments at the end of each application’s 90-day period if identification is never provided. The cancellation of unverified enrollments is left to each state’s available manpower and political will.
At the end of the 90-day period, if states do indeed ask the applicant to produce identification or to have the enrollment canceled, the applicant is allowed to ask for an extension of the 90-day period. The applicant can get the period extended for significantly longer.
Obamacare does not allow any information entered into Healthcare.gov to be used for legal action against illegal immigrants. Like “catch and release,” an applicant could attempt to fraudulently enroll repeatedly.
Foreign entities looking to flood the Medicaid rolls with fraudulent auto-enrollments are, of course, beyond U.S. prosecution and able to cause such chaos.
An organized effort by domestic or foreign entities to create countless numbers of these fraudulent enrollments could challenge Medicaid with an unsolvable administrative situation.
In February of this year, James Edwards of the Center for Immigration Studies published a report titled “Immigration and Obamacare: Proposed Medicaid Rules for Verifying Status.” His report summarized the federal government’s January publication of such rules being proposed by the Health and Human Services Department and the Centers for Medicare and Medicaid Services. These proposed rules were later finalized on July 15 (click https://www.federalregister.gov/arti...native-benefit for the 164-page “Final Rule” document).
Edwards’ report documented the security flaws developing as a result of the Obama administration’s political goal of enrolling as many people as possible in some sort of health care coverage.
Following are highlights from Edwards’ report, focusing on the easing of the non-citizen application process and the removal of safeguards:
Two, down from three, documents are to be required to establish one’s status. Attestation made about someone’s citizenship status in a single affidavit counts as one of the accepted forms of identity.
This means that a signed document from a second individual which simply states that the applicant is who he says is will be an accepted form of identification.
Electronic documentation begins to overtake presentation of authentic identification documents. Similarly, a record of identity or status verification is regarded as more important than having authenticated copies of valid, legitimate documents on record.
States do not need to file copies of the documents. They are only required to keep track of whether or not the documents were accepted. No paper trail.
If electronic verification of citizenship or immigration status fails or is delayed, applicants for health benefits must have a “reasonable opportunity period” in which to confirm their status.
If otherwise eligible for Medicaid, states must grant Medicaid enrollment to unverified persons during this period. … “Reasonable opportunity” even applies, under this rule, to persons “unable to provide a SSN [Social Security number]“ — a rather glaring loophole for frauds to exploit.
Edwards’ use of the phrase “otherwise eligible” raises the issue of the expansion and easing of the verification process for Medicaid and CHIP under President Obama. For example, eligibility for CHIP was expanded during President Obama’s first term, and the necessary documentation was decreased.
So: how simple is it to fraudulently enroll for Medicaid under the rules governing Obamacare?
Submit electronic copies of a false affidavit and a false work document while claiming to be a member of the “presumed eligible” populations, and you are required to get at least 90 days.
Most troubling, the establishment of Healthcare.gov and the other state-run exchanges allows this fraud to be perpetrated from anywhere on the planet. I asked Edwards:
PJM: “Based on the HHS/CMMS rules, couldn’t, say, al-Zawahiri get himself auto-enrolled with a “reasonable opportunity period” from a laptop in Pakistan?”
Edwards: “I hadn’t thought of that. Yes.”
In addition to the economic risk of millions arriving at domestic health care providers with fraudulent approvals and Medicaid ID numbers, Medicaid databases could be so overwhelmed with fraudulent information so as to be rendered administratively unmanageable and unreliable.
Effectively, the databases would be useless and pointless. An organized entity could, rather simply, employ this tactic to economically damage and humiliate the United States.
Ironically, the massive failure of the exchange websites has postponed the risk until the websites are functioning properly.
If the Obama administration is able to get the electronic exchanges working, they will immediately face a fresh nightmare. Flaws in the ACA law itself may create much larger problems than slow enrollment, dropped coverage, and more expensive plans. http://pjmedia.com/blog/medicaid-for-al-qaeda-obamacare-flaw-allows-anyone-on-earth-to-fraudulently-enroll-through-healthcare-gov/