Security concerns prompt subpoena for HealthCare.gov data

[Lee J <lee () riskbasedsecurity com>]

http://www.infoworld.com/t/federal-regulations/security-concerns-prompt-subpoena-healthcaregov-data-229751

A U.S. House committee chairman, citing security concerns, today ordered a
HealthCare.gov contractor to provide detailed information about its work on
the project.

Rep. Darrell Issa (R-Calif.), chairman of the Committee on Oversight and
Government Reform chairman, Tuesday issued a subpoena for Quality Software
Services Inc.'s contract with the U.S. Dept. of Health and Human Services
(HHS) to work on the Affordable Care Act's (ACA) website.

[ Also on InfoWorld: How federal cronies built -- and botched --
HealthCare.gov. | For a quick, smart take on the news you'll be talking
about, check out InfoWorld TechBrief -- subscribe today. ]

The subpoena also orders QSSI to disclose how much it has been paid so far
for its work on the project for the project, along with details about all
HealthCare.gov-related internal communications and that between the company
and workers at HHS and the White House.

Issa said he issued the subpoena after QSSI failed to voluntarily hand the
information after it was asked for it by the committee last week.

QSSI did not respond to a request for comment on the subpoena.

"It is crucial that you provide information quickly because of the serious
concerns about data security related to the lack of testing," Issa said in
a letter sent to QSSI and 10 other HealthCare.gov contractors on October
23. "This lack of testing is concerning due to the amount of sensitive
consumer information flowing through the data hub and exchanges."

QSSI is responsible for building HealthCare.gov's core Data Hub, which is
designed to support ACA health exchanges. The hub is operated by the U.S.
Centers for Medicare and Medicaid Services (CMS) and is designed to let
health care marketplaces quickly verify the eligibility of individuals
seeking insurance coverage.

HealthCare.gov's Data Hub doesn't store data, but it's designed to connect
insurance exchanges with federal databases at various government agencies,
including the Social Security Administration, the Internal Revenue Service,
the Dept. of Homeland Security, and the Dept. of Veterans Affairs.

QSSI also oversees the testing of software code developed by other
HealthCare.gov contractors and last week signed a contract to be the
general contractor in charge of fixing glitches that have plagued the site
since it went live on Oct. 1.

Issa said that QSSI's firsthand knowledge of the design and implementation
of the Data Hub could help committee members better understand the
decisions that went into building the website.

The subpoena is the latest sign of a growing unease over the security
controls in HealthCare.gov. Though the site does not store much personal
data, critics fear that it could nonetheless expose users to identity theft
and other types of fraud.

Jaikumar Vijayan covers data security and privacy issues, financial
services security and e-voting for Computerworld. Follow Jaikumar on
Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed. His email
address is jvijayan () computerworld com.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.