[House Hearing, 113 Congress]
[From the U.S. Government Publishing Office]





    EXAMINING OBAMACARE'S FAILURES IN SECURITY, ACCOUNTABILITY, AND
    
                              TRANSPARENCY
=======================================================================


                                HEARING

                               before the

                        COMMITTEE ON OVERSIGHT
                         
                         AND GOVERNMENT REFORM

                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED THIRTEENTH CONGRESS

                             SECOND SESSION

                               __________

                           SEPTEMBER 18, 2014

                               __________

                           Serial No. 113-156

                               __________

Printed for the use of the Committee on Oversight and Government Reform


         Available via the World Wide Web: http://www.fdsys.gov
                      http://www.house.gov/reform
                      
                      
                                    ______
                                       
                        U.S. GOVERNMENT PUBLISHING OFFICE 

91-961 PDF                    WASHINGTON : 2015 
-----------------------------------------------------------------------
  For sale by the Superintendent of Documents, U.S. Government Publishing 
  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; 
         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, 
                          Washington, DC 20402-0001
                          
                      
              COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM

                 DARRELL E. ISSA, California, Chairman
JOHN L. MICA, Florida                ELIJAH E. CUMMINGS, Maryland, 
MICHAEL R. TURNER, Ohio                  Ranking Minority Member
JOHN J. DUNCAN, JR., Tennessee       CAROLYN B. MALONEY, New York
PATRICK T. McHENRY, North Carolina   ELEANOR HOLMES NORTON, District of 
JIM JORDAN, Ohio                         Columbia
JASON CHAFFETZ, Utah                 JOHN F. TIERNEY, Massachusetts
TIM WALBERG, Michigan                WM. LACY CLAY, Missouri
JAMES LANKFORD, Oklahoma             STEPHEN F. LYNCH, Massachusetts
JUSTIN AMASH, Michigan               JIM COOPER, Tennessee
PAUL A. GOSAR, Arizona               GERALD E. CONNOLLY, Virginia
PATRICK MEEHAN, Pennsylvania         JACKIE SPEIER, California
SCOTT DesJARLAIS, Tennessee          MATTHEW A. CARTWRIGHT, 
TREY GOWDY, South Carolina               Pennsylvania
BLAKE FARENTHOLD, Texas              TAMMY DUCKWORTH, Illinois
DOC HASTINGS, Washington             ROBIN L. KELLY, Illinois
CYNTHIA M. LUMMIS, Wyoming           DANNY K. DAVIS, Illinois
ROB WOODALL, Georgia                 PETER WELCH, Vermont
THOMAS MASSIE, Kentucky              TONY CARDENAS, California
DOUG COLLINS, Georgia                STEVEN A. HORSFORD, Nevada
MARK MEADOWS, North Carolina         MICHELLE LUJAN GRISHAM, New Mexico
KERRY L. BENTIVOLIO, Michigan        Vacancy
RON DeSANTIS, Florida

                   Lawrence J. Brady, Staff Director
                John D. Cuaderes, Deputy Staff Director
                    Stephen Castor, General Counsel
                       Linda A. Good, Chief Clerk
                 David Rapallo, Minority Staff Director
                 
                 
                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on September 18, 2014...............................     1

                               WITNESSES

Mr. Gregory C. Wilshusen, Director, Information Security Issues, 
  U.S. Government Accountability Office
    Oral Statement...............................................     7
    Written Statement............................................     9
The Hon. Marilyn Tavenner, Administrator, Centers for Medicare 
  and Medicaid Services, U.S. Department of Health and Human 
  Services
    Oral Statement...............................................    24
    Written Statement............................................    26
Ms. Ann Barron-DiCamillo, Director, U.S. Computer Emergency 
  Readiness Team, U.S. Department of Homeland Security
    Oral Statement...............................................    38
    Written Statement............................................    40

                                APPENDIX

Answers to questions for the record by Ms. Tavenner, submitted by 
  Mr. Issa.......................................................    82
Correspondence by the OGR Majority Staff and DHS, submitted by 
  Mr. Issa.......................................................    97
Data Breach Prosecutions and Investigations, submitted by Mr. 
  Issa...........................................................   100
Emails from Ms. Tavenner, submitted by Mr. Mica..................   171
GAO Report ``Healthcare.gov: Actions Needed to Address Weaknesses 
  in Information Security and Privacy Controls''.................   173
Obamacare Articles...............................................   251
Majority Staff Report 9-18-14....................................   262

 
    EXAMINING OBAMACARE'S FAILURES IN SECURITY, ACCOUNTABILITY, AND 
                              TRANSPARENCY

                              ----------                              


                      Thursday, September 18, 2014

                  House of Representatives,
      Committee on Oversight and Government Reform,
                                            Washington, DC.
    The committee met, pursuant to notice, at 11:11 a.m., in 
room 2154, Rayburn House Office Building, Hon. Darrell E. Issa 
[chairman of the committee] presiding.
    Present: Representatives Issa, Mica, Duncan, Jordan, 
Chaffetz, Walberg, Lankford, Amash, Meehan, Farenthold, 
Collins, Meadows, DeSantis, Cummings, Maloney, Clay, Lynch, 
Connolly, Speier, Cartwright, Kelly, and Lujan Grisham.
    Staff present: Ali Ahmad, Professional Staff Member; 
Melissa Beaumont, Assistant Clerk; David Brewer, Senior 
Counsel; Steve Castor, General Counsel; John Cuaderes, Deputy 
Staff Director; Adam P. Fromm, Director of Member Services and 
Committee Operations; Linda Good, Chief Clerk; Meinan Goto, 
Professional Staff Member; Christopher Hixon, Chief Counsel for 
Oversight; Mark D. Marin, Deputy Staff Director for Oversight; 
Emily Martin, Counsel; Tamara Alexander, Minority Counsel; 
Aryele Bradford, Minority Press Secretary; Jennifer Hoffman, 
Minority Communications Director; Una Lee, Minority Counsel; 
Juan McCullum, Minority Clerk; Dave Rapallo, Minority Staff 
Director; and Cecelia Thomas, Minority Counsel.
    Chairman Issa. The committee will come to order.
    Without objection, the chair is authorized to declare a 
recess of the committee at any time.
    The Oversight Committee exists to secure two fundamental 
principles: First, Americans have a right to know that the 
money Washington takes from them is well-spent; and, second, 
Americans deserve an efficient, effective government that works 
for them. Our duty on the Oversight and Government Reform 
Committee is to protect these rights.
    Our solemn responsibility is to hold government--
government--accountable to taxpayers because taxpayers have a 
right to know what they get from their government. It is our 
job to work tirelessly, in partnership with citizen watchdogs, 
to deliver the facts to the American people and bring genuine 
reform to the Federal bureaucracy.
    Over the past 4 years, the Oversight and Government Reform 
Committee has conducted vigorous oversight of the 
implementation of the Affordable Care Act, often called 
``Obamacare,'' including the design and launch of 
HealthCare.gov. Today the committee focuses on the 
interconnected issues of security of the Website, 
accountability within the administration, and, most of all, 
transparency to the American people.
    The Government Accountability Office released a report this 
week on security of HealthCare.gov. The GAO found the 
administration failed to take appropriate and sufficient steps 
to protect HealthCare.gov and associated systems against 
security and privacy risks. More importantly, the GAO report 
strongly asserts that security testing is not complete and 
security weaknesses continue to plague the Website.
    One of the principal authors of the GAO report will testify 
before us today.
    The committee has released a report detailing several 
breakdowns in both accountability within the administration and 
transparency to the American people during the design and 
implementation of HealthCare.gov. It is important to understand 
that, with private-sector, high-profile losses of information 
due to hackers, there are huge repercussions to those 
companies, and the government often comes in and further 
victimizes the companies who have, in fact, been victimized by 
hackers. And yet, when the government fails to protect 
involuntarily taken personally identifiable information, there 
is nobody but people on this dais to try to hold government 
accountable.
    Documents obtained by this committee show factions 
developed within the agency in charge of implementing 
Obamacare, the Centers for Medicare and Medicaid Services, or 
CMS. These factions fought over several issues, including over 
Website security.
    CMS often fought to keep information from their colleagues 
within the larger Department of Health and Human Services. And, 
additionally, the administration endeavored to keep the truth 
and the true nature of the Website's problems out of the public 
eye. Following the collapse of HealthCare.gov, administration 
officials refused to admit to the public that the Website was 
not on track to launch without significant functionality 
problems and substantial security risks.
    Last month, CMS denied the Associated Press access to 
security documents requested under the Freedom of Information 
Act. Even more recently, CMS refused to provide the Government 
Accountability Office documents related to the 13 incidents 
that we are going to hear about in vague detail here today.
    I want to make something very clear. Refusal to cooperate 
with the GAO, a nonpartisan, government-created entity, refusal 
to allow access by the whistleblowers under Freedom of 
Information Act, and refusal to cooperate with even the 
inspectors general, something we saw here just a few days ago 
with 47 inspector generals out of 73 complaining with the lack 
of access even within the executive branch, this is not the 
most transparent administration in history. And, certainly, the 
transparency we see here today was only done under subpoena.
    We will probably hear today that CMS has offered to brief 
GAO on these 13 incidents. It is not acceptable after the 
public scrutiny reveals that they exist and they have been 
denied, on the eve of a hearing and only after an audit is 
completed, to then say, ``We would be glad to brief you.'' That 
is unacceptable and, quite frankly, one of the most 
disingenuous things I have ever seen. There were 5 months 
during the audit to comply with a reasonable request by the 
Government Accountability Office, and it wasn't done.
    Questions of security can no longer be easily dismissed by 
the administration. In late July, HealthCare.gov suffered a 
malicious attack from a hacker, and it took nearly 2 months for 
CMS to identify the intrusion. CMS Administrator Marilyn 
Taverner, who is with us today, will testify, and we will 
discuss that in addition to the GAO report.
    I am sure we will hear that there was no loss of data, that 
this was not the main site, and so on. That doesn't change the 
fact that security risks exist whenever you fail to secure not 
just the main site but backdoors. Too often, backdoors have 
been what we have discovered.
    In the case of another investigation of this committee, we 
discovered that the backdoors were something as simple, in one 
case, as a stolen laptop on which those who stole it later 
added peer-to-peer software, which then made information on 
that data base available to the public, potentially. The 
Federal Trade Commission opened an investigation, and a 
plaintiff's trial lawyer sued and won money on behalf of people 
whose information was never actually released. But, in fact, 
both the government and plaintiff's bars thoroughly enjoyed 
going after a nonprofit AIDS clinic. I cannot and will not 
allow our government to put itself at a different standard of 
accountability.
    Last month, the Center for Medicare and Medicaid Services 
informed the committee that, once again, there were lost emails 
in response to the committee's subpoena and documents related 
to HealthCare.gov. This is not an uncommon pattern; this is a 
pattern of predictability. This administration has not complied 
with nor caused their key executives, including political 
appointees, to comply with the Federal Records Act. 
Administrator Tavenner admitted to deleting her own emails 
during the time period of Obamacare implementation.
    Madam, your actions hinder Congress' investigation and also 
prevent the public from accessing information under the Freedom 
of Information Act. It appears as though this administration 
holds itself to a different level of compliance with historic 
Federal documents than the last administration or any 
administration since the passage.
    We are also today joined by the Department of Homeland 
Security's U.S. Computer Emergency Readiness Team, or CERT. The 
committee has concerns about the team's transparency regarding 
a hack reported earlier this month.
    The administration has already spent a billion dollars on a 
Website that is still not fully operational and fully not 
secure. The same government officials responsible for the lack 
of transparency and accountability a year ago remain in the 
position of authority.
    Questions of security, accountability, and transparency go 
beyond whether or not you support the President's healthcare 
law. Many of these issues are not limited to health care and 
mirror the transparency and accountability concerns raised, 
again, by 47 out of 73 inspector generals in an unprecedented 
letter to this and other committees of Congress in August.
    Minutes before HHS announced publicly on September 4th that 
HealthCare.gov had experienced a malicious attack in July of 
this year, an HHS official contacted my office to give them 
limited details of the successful hack. During the brief call, 
HHS gave my staff the name and phone number of a contact at the 
Department of Homeland Security and suggested my staff contact 
DHS for more information about the hack itself and the 
government's response to the hack.
    My staff reached out to HHS's suggested contact at DHS on 
Monday of last week, followed up on Tuesday, and were told that 
DHS was running--and in parentheses, the request--back with HHS 
to see if we can all jointly get on the phone, seeing if 
tomorrow will work. However, my staff followed up on Wednesday 
and Friday and then on Monday and Tuesday, with no response 
from DHS.
    I would like to note that, despite a week of persistent 
emails from my staff, DHS was unable to make time to brief our 
committee even by phone. However, 2 days ago, the minority 
staff notified me that they were asking for our witness today, 
DHS, to appear as a witness at today's hearing. I accepted it 
even though, clearly, this is a witness from an organization 
that has refused to answer questions or cooperate with the 
investigation.
    When the minority staff reached out to ask if DHS would 
appear as a witness, DHS was able to produce a witness 
prepared, apparently in detail, to provide testimony before 
this hearing today. However, DHS has still not arranged to 
properly brief our staff or to answer questions that we will be 
asking here today.
    I would like to introduce into the record at this time the 
correspondence between the staff and DHS as an example of what 
appears to be a very different treatment from this 
administration to a request from the majority staff versus a 
request from the minority staff. And, without objection, it 
will be placed in the record.
    Chairman Issa. Let's cut to the chase. I have with me three 
witnesses. Two, very clearly, are not part of transparency in 
government.
    I have no doubt that your organizations have worked 
diligently with the minority to try to make this hearing good 
for you. It is not our job to try to make this hearing bad for 
you, but the American people deserve the truth, not a cozy 
relationship between the people of your President's party, in 
covering up the ongoing failure to secure a Website that cost 
over a billion dollars.
    And, with that, I am pleased to recognize the ranking 
member for his opening Statement.
    Mr. Cummings. Thank you very much, Mr. Chairman.
    First of all, I want to apologize for running late. The 
Speaker asked us to be at a joint session of Congress to hear 
the President of the Ukraine, and many of us were there.
    One of our most important jobs in Congress is to help 
protect the interests of the American people. They demand that 
government and private companies safeguard their personal 
information, safeguard their Social Security numbers, their 
credit cards, and their health information. Nobody wants to get 
a call from a credit card company saying, your personal 
information has been compromised. It could upend your entire 
life, and it can cause serious financial problems for years.
    I believe our committee has the potential to perform a very 
valuable function in this area. With our extremely broad 
jurisdiction over multiple Federal agencies and corporate 
entities, we can help promote robust security standards across 
the entire government and private sector. To date, however, we 
have not fulfilled this potential.
    Today's hearing is our 29th on the Affordable Care Act and 
our sixth on HealthCare.gov. I completely agree that the ACA 
Website must be secure. That is why I am so heartened that, 
despite all of the challenges with the rollout last year, 
nobody's personal information has been compromised to date as a 
result of a malicious attack. Nobody's personal information has 
been compromised to date as a result of a malicious attack. 
Now, that could change, so we have to remain vigilant. After 
all, this is our watch. But, so far, no attacks have been 
successful in that regard.
    There certainly have been attempts. Last week, the Centers 
for Medicare and Medicaid Services reported that hackers 
uploaded malware onto a server. But there are several key facts 
to know about the attack. First, it was not directed at 
HealthCare.gov alone but a much wider universe of targets. 
Second, the server that was attacked was a test server that had 
no personal information on it. Third, the most important, 
nobody's personal information was compromised as a result.
    That incident was investigated by the United States 
Computer Emergency Readiness Team and the Department of 
Homeland Security. The director of that team, in her written 
testimony for today, reports, and I quote, ``There is no 
indication that any data was compromised as a result of this 
intrusion,'' end of quote.
    Although our committee has spent a tremendous amount of 
time focusing on the Affordable Care Act and its Website, where 
no cyber attacks have compromised anyone's personal information 
to date, we have been disregarding much more serious attacks 
that have actually compromised a massive amount of personal 
information of our constituents. We are talking about hundreds 
of millions of people--hundreds of millions.
    For example, on January 14th, more than 8 months ago, I 
sent a letter requesting a bipartisan hearing with senior 
officials from Target. As I wrote, ``Up to 110 million 
Americans were subjected to one of the most massive information 
technology breaches in history when their credit, debit, and 
other personal information reportedly was compromised,'' end of 
quote.
    On September 9th, I sent a letter requesting a bipartisan 
hearing on a major data security breach at Community Health 
Systems, the Nation's largest for-profit hospital chain. I 
explained that, quote, ``hackers broke into its computers and 
stole data on 4.5 million patients,'' end of quote. As I noted, 
this was, quote, ``the largest hacking-related health 
information breach ever reported,'' end of quote.
    On September 11th, I sent a letter requesting a bipartisan 
hearing to examine the recent security breach at Home Depot, 
where our constituents shop. I explained that Home Depot, 
quote, ``has more stores in the United States and a higher 
total annual sales volume than Target,'' end of quote. And, 
quote, ``it appears to have experienced a data security breach 
for a longer period of time than the data security breach that 
occurred at Target,'' end of quote.
    And just this Monday, I sent a letter requesting a 
deposition with the CEO of USIS, the company that conducts more 
background checks for the government than any other contractor 
and which had its own breach this summer. And I wrote, and I 
quote, ``Although press accounts have reported that the attack 
may have compromised the personal information of up to 27,000 
Federal employees, government cybersecurity experts now believe 
this number is a floor, not a ceiling,'' end of quote. I am 
talking about the people who work on Capitol Hill. I am talking 
about the people who work for the Federal Government--up to 
possibly 27,000.
    In response, I received a letter back from the chairman 
yesterday thanking me for my requests over the past year and 
acknowledging, and I quote, ``These serious incidents merit 
further review,'' end of quote.
    Mr. Chairman, I thank you for that. I hope we can start on 
this right away. After all, these are our constituents.
    Let me close by highlighting that this is much broader than 
HealthCare.gov--much broader. GAO, which is also represented 
here today, warns that the number of cyber attacks is 
increasing against targets across the Federal Government, and, 
obviously, the same is true of the private sector. So oversight 
is certainly called for, and I hope that our committee seizes 
the opportunity and rises to the challenge.
    With that, I yield back.
    Chairman Issa. I thank the gentleman.
    Chairman Issa. At this time, I would like to place in the 
record examples of State attorney generals' prosecution and 
relief on private-sector and even public-sector entities and 
the history of their going after entities for financial damages 
that allow breaches.
    Without objection, so ordered.
    Mr. Lynch. Mr. Chairman, can I get a copy of that?
    Chairman Issa. We will make copies available to all of you. 
It is all public information. And we did include both your 
Massachusetts attorney general, Vermont's attorney general, and 
Maryland's attorney general's actions on behalf of your 
constituents.
    Mr. Lynch. I appreciate that. Thank you.
    Chairman Issa. Members may have 7 days in which to submit 
opening Statements for the record.
    Chairman Issa. We now welcome our witnesses today.
    Mr. Gregory Wilshusen is the Director of Information 
Security Issues at the Government Accountability Office and the 
subject, obviously, of some frustration before he got here 
today.
    Ms. Marilyn Tavenner is the Administrator for the Centers 
for Medicare and Medicaid Services at the Department of Health 
and Human Services, thereafter called ``CMS'' today.
    Ms. Ann Barron-DiCamillo is the Director of the U.S. 
Computer Emergency Readiness Team at the Department of Homeland 
Security, hereafter probably called ``CERT.''
    Pursuant to the committee rules, all witnesses are to be 
sworn. Would you please all rise, raise your right hands to 
take the oath?
    Do you solemnly swear or affirm that the testimony you are 
about to give today will be the truth, the whole truth, and 
nothing but the truth?
    Please be seated.
    Let the record reflect that all witnesses answered in the 
affirmative.
    In order to allow sufficient time for your panel and then 
what I suspect will be a robust series of questions, I would 
ask that you limit your opening Statement to 5 minutes, 
although your entire Statements, including additional 
information that you may want to make available, will be placed 
in the record.
    So, Mr. Wilshusen, please continue.

                       WITNESS STATEMENTS

                STATEMENT OF GREGORY C. WILSHUSEN

    Mr. Wilshusen. Thank you, Mr. Chairman.
    Chairman Issa, Ranking Member Cummings, and members of the 
committee, I am pleased to be here today as you examine the 
implementation of the Patient Protection and Affordable Care 
Act.
    As you know, the act requires the establishment of a health 
insurance marketplace in each State to assist consumers and 
small businesses in comparing, selecting, and enrolling in the 
health benefit plans offered by participating private insurers.
    CMS is responsible for creating a federally facilitated 
marketplace for States that do not establish their own. This 
marketplace is supported by an array of IT systems, including 
HealthCare.gov, the Website that provides the consumer portal 
to the marketplace.
    My Statement today will summarize the key findings from our 
recently issued work on the security and privacy protections of 
the systems supporting HealthCare.gov.
    But before I proceed, Mr. Chairman, if I may, I would like 
to recognize several members of my team who are instrumental in 
performing this work. With me today is John de Ferrari, Marisol 
Cruz, Justin Palk, and Mark Canter. In addition, members from 
GAO's e-Security Lab also participated: Lon Chin, Wes Coile, 
Duc Ngo, and Michael Stevens.
    Chairman Issa. Could you all please stand so that we can 
all, at least for a moment, realize your contribution?
    Thank you. You may continue.
    Mr. Wilshusen. Thank you.
    HealthCare.gov-related systems, including the core systems 
of the federally facilitated marketplace and Federal Data 
Services Hub, represent a complex system that interconnects a 
broad range of Federal agency systems, State agencies and their 
systems, and other entities, such as contractors and issuers of 
health plans. The complexity and interconnectivity inherently 
introduces risk. Ensuring the security of such a system poses a 
significant challenge.
    To meet that challenge, CMS has undertaken a number of 
activities to enhance the security and privacy of systems 
supporting HealthCare.gov. For example, CMS has developed and 
documented security-related policies and procedures. It 
developed a process for remediating identified security 
weaknesses. CMS also created interconnection security 
agreements with the Federal agencies with which it exchanges 
information. And it instituted certain required privacy 
protections, such as notifying the public of the types of 
information that will be maintained in the system.
    However, CMS has not fully or effectively implemented key 
technical security controls to sufficiently safeguard the 
confidentiality, integrity, and availability of the federally 
facilitated marketplace and its information. For example, CMS 
did not always require or enforce strong password controls, did 
not sufficiently restrict systems from accessing the Internet, 
and did not consistently implement patches in a timely manner.
    CMS also had shortcomings in its information security and 
privacy management program. For example, system security plans 
for the federally facilitated marketplace and data hub 
generally contained most required information, but each plan 
was missing key security information. CMS had also undertaken a 
series of security-related testing activities that began in 
2012, yet these control assessments did not fully identify and 
test all relevant controls prior deploying the systems. In 
addition, CMS did not fully assess privacy risk in its privacy 
impact assessments and had not fully established an alternate 
processing site for HealthCare.gov systems to ensure that they 
could be recovered in the event of a disruption or disaster.
    To assist CMS, we made six recommendations addressing the 
shortcomings with the information security and privacy program 
and 22 recommendations to resolve technical security weaknesses 
related to access controls and configuration management. CMS 
concurred or partially concurred with all 28 recommendations 
and noted that it was taking actions to address each of them.
    In conclusion, while CMS has taken important steps to apply 
security and privacy safeguards to HealthCare.gov and its 
supporting systems, weaknesses remain that put these systems 
and the sensitive personal information they contain at an 
increased and unnecessary risk of compromise.
    Mr. Chairman, Ranking Member Cummings, and members of the 
committee, this concludes my opening Statement. I would be 
happy to answer your questions.
    Chairman Issa. Thank you.
    [Prepared Statement of Mr. Wilshusen follows:]
    
    [GRAPHIC] [TIFF OMITTED] 
    
    Chairman Issa. Ms. Tavenner?

             STATEMENT OF THE HON. MARILYN TAVENNER

    Ms. Tavenner. Chairman Issa, Ranking Member Cummings, 
members of the committee, thank you for the opportunity to be 
here today.
    And I want to makeeveryone aware that CMS strives to be as 
responsive as possible. I understand that we have already 
provided over 140,000 pages of documents to this committee. 
Transparency is important, and that is why I am pleased to be 
here today and have the opportunity to answer your questions. 
And we will continue to produce documents.
    In the almost 5 years that I have had the privilege to work 
at CMS, my focus has been on how we can best serve our 
beneficiaries, including seniors on Medicare, adults and 
children on Medicaid and CHIP, and consumers enrolling in the 
marketplace. When I come to work each day, I work to expand 
coverage and competition, reduce cost, improve quality in ways 
that make a difference in people's lives.
    And we are making real and important progress. As of August 
15th this year, we have 7.3 million Americans enrolled in the 
health insurance marketplace coverage, and these are 
individuals who have paid their premiums. We are encouraged by 
the numbers of consumers who have paid their premiums and 
continue to enroll in the marketplace coverage every day 
through special enrollment periods.
    This is the most recent count of people who have coverage 
throughout the marketplace. Each month, this number will change 
slightly as consumers transition in and out of coverage as 
their life circumstances change--everything from getting a new 
job to moving to a new State or becoming eligible for Medicaid 
or Medicare.
    There is also good news about Medicare. Spending per 
Medicare beneficiary is growing slower than the overall 
economy. The Medicare trustees recently projected that the 
trust fund that finances Medicare's hospital insurance coverage 
will remain solvent until 2030, 4 years beyond what was 
projected just 1 year ago.
    We strive to make health care safer and better. In the last 
5 years, we have seen a 9-percent reduction in harm in 
hospitals, such as decreased healthcare-associated infections. 
This represents over 500,000 injuries, infections, and adverse 
events avoided; over 15,000 lives saved; and approximately $4 
billion in avoided costs. This adds up to better health care at 
a better price, and I know that makes a real difference for 
real people.
    Consumers also trust us with their personal information, 
and I take that trust very seriously. Security and privacy are 
one of our highest priorities. CMS has decades of experience in 
operating the Medicare program and its supporting systems, and 
we successfully protect the personal information of both 
beneficiaries and providers. However, we must continue to be 
vigilant and evolve our assessments and actions to keep up with 
ever-changing threats.
    Consumers can use the marketplace with confidence that 
their information is safe and take comfort in knowing that no 
personally identifiable information has been maliciously 
accessed from the site. Our systems are designed with security 
in mind, and our focus on security is ongoing. It did not end 
when the marketplace launched. CMS conducts continuous 
monitoring using a 24/7, multilayer, professional security team 
and penetration testing. Our systems comply with FISMA and 
standards promulgated by NIST and the Office of Management and 
Budget.
    There is risk inherent in any system. It is simply, sadly, 
a part of the cyber world in which we all live. We appreciate 
the work done by the GAO to suggest additional controls to help 
us further protect against these risks and are always seeking 
to improve upon the security protections in place.
    As we look forward to our second enrollment period, our 
goal is to buildupon this progress and to address outstanding 
challenges. We are working to make it as seamless as possible 
for people to reenroll in coverage and reinforcing our outreach 
to help more uninsured consumers enroll in coverage. We are 
making management improvements with clear accountability and 
are committed to being transparent.
    This coming year will be one of visible and continued 
improvement but not perfection. As problems arise, we will fix 
them, just as we always have. Throughout my career as a 
hospital executive, nurse, and public servant, my focus has 
been on providing people with high-quality health care. I am 
proud of the progress we have made at CMS, and I hope to 
continue to work with Congress on our efforts.
    Thank you.
    Chairman Issa. Thank you.
    [Prepared Statement of Ms. Tavenner follows:]
    
    [GRAPHIC] [TIFF OMITTED] 
    
    Chairman Issa. Ms. Barron-DiCamillo? Is that closer? OK. I 
will try to do better. Thank you.

                STATEMENT OF ANN BARRON-DICAMILLO

    Ms. Barron-DiCamillo. Chairman Issa, Ranking Member 
Cummings, and members of the committee, thank you for the 
opportunity to appear before you today.
    We are also making every opportunity and every effort to be 
transparent at DHS--to be as transparent as possible.
    My name is Ann Barron-DiCamillo. I am the Director of US-
CERT within the National Cybersecurity and Communications 
Integration Center, also known as NCCIC. We lead the Department 
of Homeland Security's efforts in cyberspace to respond to 
major incidents, analyze threats, and share critical 
cybersecurity information with trusted partners around the 
world.
    US-CERT is a 24/7 operations center and receives and 
analyzes hundreds of incident reports a day. We work with 
public-and private-sector partner organizations and are 
committed to the protection of privacy and civil liberties for 
all Americans. At US-CERT, we strive for a safer, stronger 
Internet for all Americans.
    Established in 2003, US-CERT initially focused on securing 
U.S. Federal systems and networks. DHS's cybersecurity 
capabilities have grown immensely since the establishment of 
US-CERT, and we are working more closely than ever with 
partners across public and private sectors to develop a 
comprehensive picture of malicious activity and mitigation 
options.
    Cybersecurity is a shared responsibility and a continuous 
process. Our focus is helping our partners build a resilient 
and secure ecosystem in cyberspace. Protecting our networks 
requires coordination across a global cyber community to 
enhance others' capabilities as we continue to mature our own. 
While DHS leads the national effort to secure Federal civilian 
networks, agency heads are responsible for assessing the risk 
to their systems and taking appropriate measures to secure 
their networks. US-CERT supports agency heads and chief 
information officers in carrying out these responsibilities.
    I am here today in a technical capacity to provide findings 
from our analysis of the compromised test server at 
HealthCare.gov.
    US-CERT was notified of an incident by CMS, who has the 
oversight responsibility of HealthCare.gov. We conducted 
analysis of the images provided to us by CMS and found evidence 
of malware on a test server. As Stated by Ranking Member 
Cummings, our analysis concluded that there was no indication 
of personally identifiable information--also known as ``PII''--
exposure and no indication of data exfiltration. Additionally, 
there is no evidence of any lateral movement within the network 
or further infection.
    We have provided CMS a report with these findings as well 
as mitigation recommendations. Additionally, we were able to 
share indicators from our analysis so that agencies, partners, 
and stakeholders could better protect their own networks. We 
are currently in discussions with HHS to provide further onsite 
support.
    DHS remains committed to working with its Federal and 
private-sector partners no create a safe, secure, and resilient 
cyberspace. And I look forward to answering any questions that 
you might have.
    Chairman Issa. Thank you.
    [Prepared Statement of Ms. Barron-DiCamillo follows:]
    
    [GRAPHIC] [TIFF OMITTED] 
    
    Chairman Issa. I will start with you then.
    When did you find out you were going to appear here today?
    Ms. Barron-DiCamillo. I believe I was informed on Monday.
    Chairman Issa. And when did you begin preparing for today's 
hearing?
    Ms. Barron-DiCamillo. When I was informed on Monday.
    Chairman Issa. OK.
    Has CERT done a security testing of HealthCare.gov?
    Ms. Barron-DiCamillo. We were provided images from CMS of 
the compromised test servers, and we provided analysis----
    Chairman Issa. I appreciate that. The question was, has 
CERT conducted any security testing of HealthCare.gov's 
vulnerabilities?
    Ms. Barron-DiCamillo. No. As I Stated in my opening 
remarks, we----
    Chairman Issa. So when Ms. Tavenner says there have been no 
loss of personally identifiable information, if you don't know 
the vulnerabilities, how would she know that to be true?
    Ms. Barron-DiCamillo. I believe that CMS conducts their own 
scanning and testing, but I am happy to----
    Chairman Issa. Did you verify their scanning and testing to 
be sufficient?
    Ms. Barron-DiCamillo. We would be happy to provide that 
information----
    Chairman Issa. Did you?
    Ms. Barron-DiCamillo. I haven't been provided any details 
on the scanning----
    Chairman Issa. So you don't know that?
    Ms. Barron-DiCamillo. Within the test network?
    Chairman Issa. Yes. It boils down to, you are here as an 
expert that I didn't expect from an organization that refused 
to give my staff any briefing related to it----
    Ms. Barron-DiCamillo. And I do apologize for that. I was 
under the impression that our staff was working with your staff 
to answer those questions. I'm happy to answer----
    Chairman Issa. No. As of yesterday afternoon, they put 
people who didn't have technical expertise on, who told us they 
would get back to us. That is after more than a week of 
information we have already put in the record where we were 
denied that.
    Maybe I will go on to GAO.
    I am going to ask, first of all, your indulgence. When this 
hearing is over, I would like you to accept the--pardon me?
    Mr. Cummings. No, I----
    Chairman Issa. Oh, OK.
    Mr. Cummings. I wanted to hear what you had to say.
    Chairman Issa. That can happen.
    I would like you to accept a briefing and do a supplemental 
related to the 13 breaches.
    Mr. Wilshusen. OK.
    Chairman Issa. Ms. Tavenner, I am going to presume that you 
will agree that he will have full access to all information 
related to that so that GAO may develop specific additional 
recommendations based on the actual breaches, if you will, the 
13 incidents.
    Ms. Tavenner. Yes, sir.
    Chairman Issa. OK. That will allow us to get what we don't 
have here today, and I appreciate that.
    But, Mr. Wilshusen, you have gone through an extensive 
amount. Would you describe for the committee the level of 
cooperation you believe you got? We have heard what you didn't 
get. Are there some good-news stories in the cooperation as you 
did your investigation, or your audit?
    Mr. Wilshusen. Well, there is some good news and then some 
not-so-good news, Mr. Chairman.
    As we began our audit--and, generally, we do receive good 
cooperation from the agencies that we audit as it relates to 
receiving information requests that we provide. In this case, 
initially, there were delays in providing certain documents 
that we had requested. In addition, CMS attempted to put 
certain restrictions on some of the documents. And----
    Chairman Issa. Did they cite why they were restricting? Are 
you just not trustworthy?
    Mr. Wilshusen. No, no. I think they indicated that they 
were concerned about the security--the sensitive security 
information in----
    Chairman Issa. So they don't trust you.
    Mr. Wilshusen. I wouldn't say that, sir, no.
    But we elevated the issue within GAO and within the 
Department, and we reached and agreement to where we would be 
able to and they did provide the information for us to look at.
    Chairman Issa. So, at the end of it all, there was no 
reason--after it was elevated, there was no reason that they 
should have denied it to begin with.
    Mr. Wilshusen. In my view, no. They should have provided it 
earlier. But, at the same point, you know, they had a concern 
about the security of the information, so they tell us. But, 
you know, their motivation would be probably better addressed 
by the Administrator.
    Chairman Issa. OK. Limited time, and I want to sort of set 
the stage for what others on both sides of the aisle may ask 
here.
    When you looked at the robustness of how they determined 
with such certainty that there had been no breaches, no loss of 
personally identifiable information, were you satisfied that 
all those procedures were robust enough that, with the 
certainty that Ms. Tavenner said that no losses had occurred, 
that no losses had occurred?
    Mr. Wilshusen. Well, we did not receive actual security 
incident reports on these incidents, at least on the 13. We did 
receive a written response to an interrogatory, in which they 
indicated that, at least for the 13, that there was certain PII 
that was compromised or disclosed to an individual, but it was 
a consumer. It was due to a technical glitch in----
    Chairman Issa. Wait, wait, wait. I want to understand.
    Mr. Wilshusen. Right.
    Chairman Issa. So personally identifiable information was 
lost or disclosed?
    Mr. Wilshusen. Was disclosed, according to their 
description. But----
    Chairman Issa. OK.
    Ms. Tavenner, others will ask additional questions, but 
your opening Statement said none had been lost. How can we 
reconcile ``none has been lost'' with a sworn Statement that 
some has been lost?
    Ms. Tavenner. I think what my Statement said is there were 
no malicious attacks on----
    Chairman Issa. Oh. Oh, so if you just screw up and put the 
public's information out, it is OK because it wasn't a 
malicious attack?
    Ms. Tavenner. No, sir, I don't think any time we put 
consumer information out there it is OK. But I think----
    Chairman Issa. OK. So my time has expired, and I want the 
ranking member to have full time.
    I just want to make it clear that wordsmithing of ``no 
malicious was done'' versus ``accidental''--just as we 
discovered at the time of the launch that, if I went to the 
section above, you know, where the URL normally is, when that 
thing was launched, if I simply typed in a different number or 
a different State code, I could have looked at somebody else's 
record. That was part of what you guys had wrong on the day of 
the launch, is that you could simply go to somebody else's 
record by changing that long streak at the top, meaning no 
code. That wouldn't have been malicious, I guess, except that 
if somebody were doing it to see what they would get, that 
would be a little bit malicious.
    So when you say no personally identifiable information was 
lost through malicious, what you are saying is you don't know 
how much was lost, you just believe that the definition of 
``malicious'' wasn't met. Is that right?
    Ms. Tavenner. I actually--and I think this relates to the 
personal incidents. And I do think that we want to cooperate 
with the GAO on that, and we are happy to review those. And I 
think----
    Chairman Issa. Thank you. Your desire to want to cooperate 
after we bring you here involuntarily for a hearing is most 
appreciated, but, quite frankly, you should have cooperated 
with the GAO beforehand.
    Ms. Tavenner. Sir, I think the--I always like to cooperate 
with the GAO and the OIG. And we have had over 140 open audits 
underway, and I think we have cooperated. I would also like to 
say I came here voluntarily.
    Chairman Issa. Thank you.
    The distinguished gentleman from Missouri is now recognized 
for 5 minutes.
    Mr. Clay. And thank you, Mr. Chairman. Thank you for--and 
thank the ranking member for yielding his time.
    Mr. Wilshusen, GAO found that HealthCare.gov had security 
weaknesses when it was first launched in part because of a lack 
of adequate oversight of security contractors. Is that right?
    Mr. Wilshusen. We found that, with respect to when it was 
first deployed--and recognize that our audit occurred 
subsequent to the initial deployment--we found that, based on a 
review of the documents, there were certain vulnerabilities in 
controls that had not been tested at that time and that there 
were a few vulnerabilities that had been identified through 
testing through which the CMS had accepted in order to provide 
an authority to operate----
    Mr. Clay. Those responsibilities were incumbent upon the 
contractor, correct?
    Mr. Wilshusen. Well, overall responsibility, it rests with 
the----
    Mr. Clay. With the contractor? Or----
    Mr. Wilshusen. I believe--I think, in some cases, there may 
be incidents and we did identify weaknesses that were operated 
on systems operated by a contractor. But that was subsequent--
--
    Mr. Clay. OK.
    Mr. Wilshusen. That was during the course of our audit, 
not--that doesn't necessarily pertain to prior to the 
deployment of the system.
    Mr. Clay. Sure. And the GAO report found that there was not 
a shared understanding of how security was implemented among 
all entities involved in the development and security testing 
of the Website. Is that correct?
    Mr. Wilshusen. Yes, that's correct. And what we found, too, 
is that in certain instances where CMS told us who was 
responsible, or the contractor that was responsible for certain 
tests, such as implementing security on a firewall----
    Mr. Clay. Yes.
    Mr. Wilshusen [continuing]. It went to that contractor. The 
contractor indicated that it was not his responsibility, that 
it was another contractor, and that responsibility was not 
identified in that contract's Statement of work.
    Mr. Clay. Yes, but scenarios like this obviously increase 
the likelihood of security risks. Is that correct?
    Mr. Wilshusen. Yes, sir.
    Mr. Clay. And was there a specific CMS official or group 
that was responsible for overseeing the security testing of 
HealthCare.gov? Is there a group?
    Mr. Wilshusen. Well, overall, the CMS CIO and CISO--I'm 
sorry--Chief Information Officer and Chief Information Security 
Officer have, I would say, overall responsibility for reviewing 
and assuring the security over the system.
    Mr. Clay. Now, for a project of this magnitude, shouldn't 
an agency official with a broad understanding of IT security 
testing oversee contractors?
    Mr. Wilshusen. I would say yes.
    Mr. Clay. And was that the case here?
    Mr. Wilshusen. I would say that, you know, there is--that 
CIO/CISO would be the individuals that would have that 
responsibility overall.
    Mr. Clay. OK. So who would the CMS official be that would 
have that kind of understanding of IT security testing? Was 
there a person in place?
    Mr. Wilshusen. Yes. Either they had the CMS CISO. In 
addition, there are several individuals that were responsible 
for aspects related to the security over the HealthCare.gov. 
There is also an information systems security officer that has 
responsibility for assuring that, you know, security controls 
are properly implemented.
    Mr. Clay. And, you know, the issues with IT security 
management did not start with HealthCare.gov. As a matter of 
fact, this is a broader government problem that needs to be 
addressed, don't you think?
    Mr. Wilshusen. GAO has been reporting information security 
and Federal information security as a governmentwide high-risk 
area since 1997. And so, sadly, yes, it is a broad government 
issue.
    There have been weaknesses--just as an example, for Fiscal 
Year 2013, 18 out of the 24 major Federal agencies covered by 
the Chief Financial Officers Act reported either a material 
weakness or a significant deficiency in their information 
security controls for financial reporting purposes. Twenty-one 
out of the 24--or IGs at 21 out of the 24 agencies also cited 
information security as a major management challenge. So yes.
    Mr. Clay. And so it would be fair to say that all Internet-
facing systems, both in the Federal Government and the private 
sector, involve some risk. Is that correct?
    Mr. Wilshusen. Given the nature of the Internet and the 
capabilities and prevalence of hackers who might try to exploit 
vulnerabilities, yes. The answer is there is risk in conducting 
online transactions.
    Mr. Clay. Thank you so much for your responses.
    And, Mr. Chairman, I yield back.
    Chairman Issa. I thank the gentleman.
    We now go to the gentleman from Florida for 5 minutes.
    Mr. Mica. Thank you, Mr. Chairman.
    And I have a copy of your report dated September 2014. And, 
in that, you, in fact, State and GAO found--first of all, I 
think you found that the testing was not complete and that the 
whole program was rolled out with weaknesses in security and 
protection of privacy. Would that be an accurate Statement?
    Mr. Wilshusen. Yes.
    Mr. Mica. OK.
    I also see that you say that the GAO report strongly 
asserts that testing of the Website still remains insecure. Is 
that correct?
    Mr. Wilshusen. I would say that the testing of 
HealthCare.gov and the supporting systems has not been 
comprehensive----
    Mr. Mica. So even to date we have risks. Is that correct?
    Mr. Wilshusen. Today we have risks.
    Mr. Mica. Security risks, privacy information risks. OK. 
Thank you.
    And there was a--the rollout--they actually rolled this 
out, I saw in the report too--I guess four States had not even 
taken action to secure privacy?
    Mr. Wilshusen. I would characterize it more as they had not 
met CMS's----
    Mr. Mica. Right.
    Mr. Wilshusen [continuing]. Security requirements.
    Mr. Mica. Security requirements. And we will have those for 
the record, the States.
    Mr. Mica. So it is incomplete testing.
    Then I see, basically, a coverup of the failure that took 
place. Did you see any of that?
    They were trying--I went through some of these emails and 
some of the record the committee has. I don't know if you saw 
this. But it looks like quite a coverup, or they tried to not 
let the public know the failure of the rollout and the failure 
of them to protect this information. Is that correct?
    Mr. Wilshusen. I'm sorry, I could not comment on that 
because I have not seen the----
    Mr. Mica. Oh, I can tell you. It is page after page. I 
mean, I can't even use some of the language used here.
    Mr. Chairman, I would like to have some of this submitted 
in the record, this report.
    Chairman Issa. Without objection, so ordered. The entire 
report will be placed in the report.
    Mr. Mica. OK.
    It is astounding. Again, ``This is a [blanking] Disaster.'' 
I mean, this is one of the HHS people who saw what was going on 
at CMS.
    Politico has a 2-day story that talks about the issues and 
most detailed explanation, but it is just stating overwhelming 
traffic that couldn't have been replicated and tested.
    I mean, just one point after another of the coverup. And I 
think, unfortunately, people like Ms. Tavenner were involved in 
some of the coverup.
    Did you ever attempt, ma'am, to have any emails or records 
deleted as to what was going on in the failure?
    Ms. Tavenner. I'm not aware of the emails. I've not seen 
the emails you are responding to, so I can't answer that.
    Mr. Mica. Uh-huh. Uh-huh. Well, I have one email here, and 
you had asked that it, in fact, be deleted. And I can supply 
you with a copy of it. But it says, ``Please delete this 
email.'' And it goes on to detail what was going on, the 
failure that was going on.
    First of all, there was a company by the name of Serco that 
was employed to--or retained, a contract of $1.2 billion, is 
that correct, to process the paper applications?
    Ms. Tavenner. We retained Serco. I don't have the amount in 
front of me.
    Mr. Mica. Uh-huh. Well, again----
    Ms. Tavenner. I'm happy----
    Mr. Mica [continuing]. This email talks about Serco and the 
failure of the proper processing. There were problems with 
processing the paper applications.
    Ms. Tavenner. Congressman Mica, I'm happy to take a look at 
the email.
    Mr. Mica. Yes. And you had nothing to do with the awarding 
of a $1.2-billion contract, you would tell the committee too, 
right?
    Ms. Tavenner. I don't understand the question that you're 
asking me.
    Mr. Mica. Of the Serco contract to process paper.
    Ms. Tavenner. I'm actually not part of the----
    Mr. Mica. Here you're talking about Serco and the problems 
of the paperwork. You're asking for deleting of information.
    Then I looked a little bit into Serco, and the Serco 
scandal grows. Did you know that Serco had been awarded the 
contract, a $1.2-billion contract, while they were being 
investigated? It's a British, U.K. Firm, and they were being 
investigated for some fraudulent activities in the U.K. As they 
were being awarded a $1.2-billion contract.
    Ms. Tavenner. No, sir, I did not----
    Mr. Mica. You weren't aware of any----
    Ms. Tavenner. And I think I Stated that last year in a 
hearing.
    Mr. Mica [continuing]. Of the background.
    Again, I think we need to put this--Mr. Chairman, I would 
like to put this email in the record, where the witness asks 
that we delete this particular email and it dealt with the 
problems at Serco at that point.
    Chairman Issa. Without objection, so ordered.
    Mr. Mica. Finally, are you aware that you violate Federal 
law when you ask to delete information like this?
    Ms. Tavenner. Again, Congressman, I would need to see the 
email in order----
    Mr. Mica. OK.
    We'll provide the witness, if we could, with----
    Chairman Issa. We will pause quickly.
    If you will send it down to her. I think you might as well 
get it quickly done.
    I would ask unanimous consent to stop the clock and give 
her an opportunity to read it.
    Thank you.
    Mr. Mica. Just simply, is that your email, and did you ask 
to have it deleted? At the beginning, it States pretty clearly 
your intention.
    Mr. Chairman, I'll defer to you to get a response from the 
witness.
    Ms. Tavenner. This email is from me, yes, sir. That's 
accurate. And this email was written to Julie Bataille, who at 
the time was involved in the call center. And I think this is 
about the call center information. And I think that I asked 
that she delete this email because it involved sensitive 
information regarding the President's schedule, and I think 
that's actually the area that's redacted.
    But, no, it is not normally my custom to ask--sometimes I 
would ask that things be ``close hold'' or ``do not forward.'' 
But, in this case, it involved the President's schedule, if I 
remember this correctly.
    Mr. Mica. So, again, Mr. Chairman, I would also--I want the 
entire content of the email entered into the record and the 
reference further down to Serco.
    Thank you. Yield back.
    Chairman Issa. Thank you.
    I would just briefly, if I could have an indulgence--why 
would the President's schedule after the fact have any 
relevance to being needed to be deleted? I hear you, but the 
President's schedule becomes very public in realtime within a 
very short period of time.
    Ms. Tavenner. So I can't answer the reason why this is 
redacted. I didn't make the decision to redact it. That's done 
by our oversight----
    Chairman Issa. But you were surmising that it had to do 
with the President's schedule. The President's schedule is not 
all that secretive, and, after the fact, it has no relevance 
for protection.
    Ms. Tavenner. I understand.
    Chairman Issa. And, under the Federal Records Act, your 
communication is to be retained, correct?
    Ms. Tavenner. And it was retained. My immediate staff was 
copied on that, and that's why you have it. It was retained.
    Chairman Issa. OK. So deleting it doesn't change the fact 
that it had to be retained for the Federal Records Act.
    Ms. Tavenner. It is retained.
    And, in fact, if you are asking about our response to NARA, 
we did that out of an abundance of caution because we weren't 
sure. Because I didn't necessary retain some emails if they 
related to scheduling changes and this sort of thing. So, going 
back to the issue of transparency and trying to be forthcoming 
about information, we decided to notify NARA.
    Chairman Issa. OK. I would hope that the unredacted 
versions of all this would be made available to the GAO. And I 
would ask simply that unredacted versions be seen by the GAO to 
see if, in fact, it's consistent with what we're hearing here 
today.
    Mr. Mica. Mr. Chairman, a unanimous request----
    Chairman Issa. The gentleman will State his request.
    Mr. Mica. I have articles about ``Serco Scandal Grows'' and 
people paid to do nothing and processing Serco's checkered 
past, ``White House Hired Sham Foreign Company for Obamacare,'' 
and a Forbes article, ``The Unhealthy Truth About Obamacare's 
Contractors.''
    I'd like these to be----
    Chairman Issa. Without objection, so ordered.
    Mr. Mica. Thank you.
    Chairman Issa. And, with that, we'll go to the gentleman 
from Pennsylvania for 5 minutes.
    Mr. Cartwright. Thank you, Mr. Chairman.
    And thank you to the witnesses for joining us here today.
    One of the most critical features of the Affordable Care 
Act is that it expands Medicaid eligibility to millions of low-
income American adults. Prior to the ACA, Medicaid eligibility 
was restricted primarily to low-income children, their parents, 
people with disabilities, and seniors. In most States, adults 
without dependent children were not eligible for Medicaid.
    According to a study issued in April 2014 by the Kaiser 
Family Foundation, only about 30 percent of poor, non-elderly 
adults had Medicaid coverage in 2012 and uninsured rates for 
poor adults were more than double the national average.
    Under the ACA, Medicaid eligibility can be expanded to 
cover all non-elderly adults with incomes below 138 percent of 
the Federal poverty level.
    Administrator Tavenner, is that correct?
    Ms. Tavenner. Yes, sir, I believe that is correct.
    Mr. Cartwright. All right.
    So the Federal Government pays States 100 percent of the 
costs for the first 3 years and then phases that down--phases 
its match down to about 90 percent in 2020. Despite this 
enormous level of Federal assistance, more than 20 States have 
decided not to participate in the expansion, leaving millions 
of their own citizens without health care.
    Administrator Tavenner, can you comment on the coverage gap 
that is resulting from these decisions not to expand Medicaid 
in those States?
    Ms. Tavenner. Yes, sir.
    I would start first by saying, with Pennsylvania's recent 
decision, we are now at 27 States, I believe, plus the District 
of Columbia, whohave decided to expand Medicaid. And, 
obviously, if you look at a lot of independent studies, there 
is a noticeable difference in the States that have decided to 
expand Medicaid in terms of lowering the number of uninsured.
    We're going to continue to work with those remaining 20-
something. And we meet with them on a regular basis to do what 
we can to encourage folks to expand.
    Mr. Cartwright. Now, by not participating, aren't the 
States that aren't leaving billions of Federal dollars on the 
table that could be used to improve the health of their own 
citizens?
    Ms. Tavenner. Yes, sir, they are. And it also has economic 
consequences for those States, as well.
    Mr. Cartwright. Of course.
    Now, recently, some Republican Governors, as you have 
alluded to, who had originally refused to expand Medicaid have 
now reconsidered their original decisions and have submitted 
Medicaid expansion plans for CMS's approval. For instance, in 
my own State of Pennsylvania, as you mentioned, they decided to 
expand Medicaid, which will now provide health insurance to 
600,000 low-income adult individuals in our State.
    Administrator Tavenner, how will Medicaid expansion in 
Pennsylvania impact the health of its citizens?
    Ms. Tavenner. I certainly can get you information from 
independent studies, but there is a definite correlation 
between coverage of insurance and long-term health improvement.
    Mr. Cartwright. Good.
    Now--and I don't want to leave this question out. Other 
than political posturing by the Pennsylvania Governor, are you 
aware of any good reason why 600,000 good Pennsylvanians went 
without coverage for an extra 9 months from the rest of the 
States that expanded Medicaid right away?
    Ms. Tavenner. No, sir. We want everyone to expand and 
expand quickly.
    Mr. Cartwright. Well, Administrator Tavenner, why do you 
think Republican Governors are so divided on the issue of 
Medicaid expansion?
    Ms. Tavenner. Sir, I can't answer that. I'm not sure. I'm 
sure each State has their reasons. We just try to work with 
them and meet them where they want to be.
    Mr. Cartwright. All right.
    Do you expect to work with additional Governors who 
previously opposed Medicaid expansion but are now considering 
reversing their decisions?
    Ms. Tavenner. Absolutely.
    Mr. Cartwright. Well, I want to say I thank you for coming 
here today, and I thank for you testimony.
    I hope that Governors in States that have so far not 
elected to expand Medicaid will reconsider, will consider the 
impact on their communities, to take advantage of this historic 
opportunity to lift up all of the Americans in their States, as 
well.
    Thanks again, Administrator Tavenner.
    And I yield back.
    Chairman Issa. Would the gentleman yield?
    Mr. Cartwright. I am out of time.
    Chairman Issa. Oh, OK. Well, at some future time, I'm happy 
to work with you and explain Republican Governors to your 
satisfaction.
    With that, we go to gentleman from Utah, perhaps a man that 
will someday be a Republican Governor, for 5 minutes.
    Mr. Chaffetz. Reclaiming my time, I thank the chairman.
    And thank you all for being here.
    Ms. Tavenner, a question for you about the Oregon exchange. 
The American taxpayers put in some $304 million to develop that 
State exchange. Now they want to come over and make a 
transition.
    Did you or anybody at CMS conduct a cost-benefit analysis 
to determine that the switch to the Federal exchange was the 
most cost-effective for the taxpayers?
    Ms. Tavenner. Yes, sir. We did an analysis of what it would 
cost for us to bring in the two additional we're bringing in 
this year, Nevada and Oregon. And we did--I wouldn't say it 
would be a sophisticated analysis, but we did a cost analysis. 
And, as you might imagine, when we already have 36 States in 
the exchange, adding 2 more is cost-effective.
    Mr. Chaffetz. Could you share that analysis with us? Is 
that something you could provide to us?
    Ms. Tavenner. Certainly.
    Mr. Chaffetz. What is the additional cost?
    Ms. Tavenner. I don't have that in front of me, but I'm 
happy to get it for you.
    Mr. Chaffetz. When is a good time--when would I raise the 
flag and say, ``All right, that's been long enough''? Can you 
give me a sense of the time?
    Ms. Tavenner. We should be able to get you that in a few 
days.
    Mr. Chaffetz. Very good. Thank you. I appreciate that.
    Ms. Tavenner. It is part of our bill that is ongoing???????
    Mr. Chaffetz. A few more questions about that.
    What is being done to claw back--I mean, there's $304 
million. Is that money all gone? Is there some of that coming 
back? Is somebody going to jail? What's going on with it?
    Ms. Tavenner. Each State--and, again, I am----
    Mr. Chaffetz. I want to talk specifically about Oregon.
    Ms. Tavenner. Yes.
    Mr. Chaffetz. That seems to be the most egregious.
    Ms. Tavenner. I think Oregon has very actively gone after 
their contractor, and I think that's been in the press. But I 
am happy to get you more details----
    Mr. Chaffetz. But what is the Federal Government doing? It 
was Federal taxpayer dollars--correct?--that went into it.
    Ms. Tavenner. Yes. These were actually grants awarded to 
States, and so the contract is between the State and the 
contractor. So the States were working that initially.
    Mr. Chaffetz. So CMS, Health and Human Services, Department 
of Justice, the Federal Government--I mean, pick your entity--
we're doing nothing to claw back those dollars?
    Ms. Tavenner. Ultimately--I think it's a little early in 
the decisionmaking right now. States are going after it on the 
basis of their individual contracts.
    Mr. Chaffetz. But the Federal taxpayers give $304 million, 
and we just say, ``Well, it's up to Oregon to figure out what 
to do.''
    Ms. Tavenner. We are obviously working with the State.
    Mr. Chaffetz. When we gave these grants, was there no 
condition or expectation that it would work? I mean, was there 
a deal that said that--did we just literally hand them over the 
money and we don't care what happens? I mean, it ultimately 
didn't work, correct?
    Ms. Tavenner. What we did are a series of progress reports 
and requirements with the States. And I'm happy to get you that 
information, as well.
    Mr. Chaffetz. I'm just trying to get some degree of 
specificity. I haven't heard you yet say we're doing something 
to try to claw back nearly a third of a billion dollars.
    Ms. Tavenner. I think what I've said is that States are 
doing that right now. And we are cooperating with States.
    Mr. Chaffetz. And so--but why is the Federal Government not 
doing anything?
    Ms. Tavenner. We are cooperating with States. The contract 
is between the State----
    Mr. Chaffetz. So we're just waiting for Oregon to tell us 
something.
    Ms. Tavenner. We are working with Oregon and other States. 
That's all I can say right now.
    Mr. Chaffetz. And, Mr. Chairman, I mean, I don't know how--
--
    Chairman Issa. That's all--just what she said, it's all 
she's going to say. She won't answer your question.
    Mr. Chaffetz. I know. I just think it is something that the 
Congress legitimately should look at. We give out $300-plus 
million, and we just call it a day and move on?
    Ms. Tavenner, is there any criteria or guidance for States 
who want to drop out and move to our exchange? Have you 
issued--or how do you evaluate those? Or do you just say 
``yes''?
    Ms. Tavenner. Well, we obviously have a list of criteria 
and requirements for the State to move from a State-based 
exchange to move to the FFM.
    These entities stay State-based exchanges. They can 
continue to do their marketing, their outreach. What we are 
doing is the FFM support. And there are criteria they have to 
meet for us to move them back into the system. And I am happy 
to share that with you.
    Mr. Chaffetz. OK. So you can--in that package?
    Ms. Tavenner. Yes. We have that.
    Mr. Chaffetz. Yes. In a few days, you'll share that with 
me, as well. I appreciate that.
    Ms. Tavenner. We have a lot of documentation.
    Mr. Chaffetz. Yes, OK. Thank you. I appreciate it.
    And, again, for my colleagues here, I just--we really have 
to look at this. It's stunning to think that we would hand out 
by the hundreds of millions of dollars to States and have no 
recourse, and if it doesn't work, we just kind of throw up our 
hands and say, ``Well, it's up to somebody else to figure it 
out.'' That is not the way we should operate. It is pretty 
stunning and very dissatisfying and doesn't produce results. 
It's not responsible, it's not accountable, and very 
frustrating.
    I yield back.
    Chairman Issa. I thank the gentleman.
    We now go to the gentleman from Massachusetts who was here 
first, Mr. Lynch.
    Mr. Lynch. Thank you, Mr. Chairman.
    I want to thank the members of the panel for your 
willingness to come here and help the committee with its work.
    Ms. Tavenner, generally, the way things work is that the 
private sector has far more resources than, oftentimes, our 
government entities, and they are better prepared, better 
incentivized to keep data secure. And that troubles me because 
I see a list of--I am also on the Financial Services Committee, 
as well. And we've been dealing with Home Depot. We've been 
dealing with Target. We've been dealing with JPMorgan Chase, 
the largest bank in the United States of America. We're still 
not sure about the breadth of that breach, but we're concerned 
about it.
    We have Heartland Payment Systems; that was 134 million 
people in the United States. KB Financial Group, 104 million 
people. Global Payments system, 950,000 people to 1.5 million; 
we're not sure yet. They even breached the Iranian banks, about 
3 million people. That was probably us who did that. 
Morningstar, 184,000 people. Citigroup, 360,000 people.
    So you've got all these big firms. Especially JPMorgan 
Chase, they've got some very, very smart people. They have an 
extreme financial interest, as well as a reputational interest, 
to hang on to that data.
    And so I'm just worried with the--with, sort of, the 
botched rollout, the difficulty with the State exchanges, 
including in my State of Massachusetts. We've had a bunch of 
data breaches related to health care.
    Are you sure that you can sit here under oath today and 
tell me that nobody's breached the, you know, HealthCare.gov 
site and that the folks whose healthcare information, tax 
information, personal information--that it remains secure today 
as we sit here?
    Ms. Tavenner. So let me answer that in a couple of ways. 
And I will go back to the chairman's point about transparency, 
as well.
    I dare say there is very little that concerns me more on a 
daily basis than the security of this Website, for a host of 
reasons. It's a new project. It has been very, very visible in 
the press on a daily, if not hourly, basis. And we do have the 
difficulty in the rollout.
    We have, even within our limited resources, spent a great 
deal of time and money securing the Website. We have been able 
to meet FISMA standards, OMB standards, HIPAA standards. But I 
will always worry about the safety and security of the Website.
    We've talked about the earlier incident with the malware. 
And yesterday I was informed of another case, not related to 
HealthCare.gov, but an independent site, if you will, that was 
working with the cloud, with Website material, where there was 
another malware incident. Now, there was no personal 
information. This is something that I don't even have the 
details of. But these are the types of things that worry me 
every day.
    We meet about security weekly. We review every----
    Mr. Lynch. Yes. I'm not hearing the answer to my question. 
And I appreciate all of that. Believe me, I really do. But I 
only have a minute left, and I think you're going to burn all 
my time here.
    So there's no guarantee that therehas been no breach. I 
don't want to put it that way, but you don't seem to be able to 
give me a guarantee that there is not----
    Ms. Tavenner. Well, to date, we have had no malicious 
breach. We've had no breach of personal information.
    Mr. Lynch. OK. OK. That's fair enough.
    Let me ask you: One of the problems we're having with out 
credit card issuers--and I am just using this as an analogy--is 
that, for them, you know, that's product. They sell 
information. I think sometimes, by selling it, they bring on 
the breach themselves. But they also compile it so that these 
credit card companies have 15, 20 years' worth of data there 
all sitting there waiting to be hacked. So my purchases at Home 
Depot, you know, 10, 15 years ago are still part of that data 
grouping.
    Do we do anything to put firewalls up so that if there is a 
breach of the medical information that we can somehow limit the 
damage?
    Ms. Tavenner. So, first of all, yes, it's part of the 
design of the system. If you remember the hub, no information 
is stored on the hub. So that was one step.
    Second, we do not keep any medical information. There is 
some personal information, but we don't have a need for medical 
information. So that's not stored within the FFM.
    The only thing that is stored in the FFM itself, separate 
from the hub, is the ability to work appeals of cases for 
people who say, ``I didn't get a tax credit. I should have 
gotten a tax credit.'' So we keep it minimal, but we do have 
some storage----
    Mr. Lynch. But is that tax information in there?
    Ms. Tavenner. No. There's not tax information. There can 
be--sometimes people can State their income, but there is not 
tax information.
    Mr. Lynch. OK. All right.
    My time has expired. Thank you for your indulgence, Mr. 
Chairman.
    Chairman Issa. Thank you. Thanks for a very good round of 
questioning.
    We now go to Mr. Meadows.
    Mr. Meadows. Thank you, Mr. Chairman.
    Ms. Tavenner--I'm over here. Want to go ahead, and I'll 
speed through some of these questions.
    Ms. Tavenner, can you confirm that CMS will not change 
their open enrollment dates? I know we had so many different 
dates that changed before. Can you confirm to the American 
people and, really, to the providers that those open enrollment 
dates will not move?
    Ms. Tavenner. The open enrollment date for this year is 
November 15th through February 15th.
    Mr. Meadows. And those will stay firm?
    Ms. Tavenner. Yes, sir.
    Mr. Meadows. No changes.
    Ms. Tavenner. No changes.
    Mr. Meadows. They can count on it. OK. That's good news.
    All right. How about window-shopping? Last time, you had to 
actually enroll, put your--I had to go on--when I was shopping, 
I actually had to sign up to be able to figure out what I want. 
Is that going to be available?
    Ms. Tavenner. Window-shopping will be available, and you 
would not have to sign up this year.
    Mr. Meadows. So we're going to be able to compare plans----
    Ms. Tavenner. That's right.
    Mr. Meadows [continuing]. Without having to put in any 
personal data.
    Ms. Tavenner. Yes, sir.
    Mr. Meadows. OK. Great.
    So let me go a little bit further into this. Bryan Sivak 
has come and shared testimony here with this committee. Are you 
familiar with who he is at HHS?
    Ms. Tavenner. I know who Bryan is, yes.
    Mr. Meadows. OK.
    Let me read--when we were looking at the rollout, he says, 
``So to your question''--this was him in an email--``So to your 
question, how am I feeling about the launch, not good. Kind of 
heartbroken, actually. Whatever launches, if functional, will 
only technically meet the criteria of launching the exchange. 
It will be riddled with confusing and hard-to-use compromises. 
But I really don't know. I'm not seeing anything that's being 
delivered. It's just piecing things together kind of through 
the grapevine.''
    And so there was not a real communication going on between 
CMS and HHS during the whole HealthCare.gov launch?
    Ms. Tavenner. I am not familiar with that email. At least I 
don't think I am. I----
    Mr. Meadows. Well, I mean, I guess the question is, was 
there a whole lot of coordination between HHS and CMS 
technology people going through? Because I have been led to 
believe that HHS only found out really what was going on 
through informants.
    Ms. Tavenner. Well, we did weekly updates with HHS on the 
Website----
    Mr. Meadows. So they didn't have to have informants to find 
out what was going on?
    Ms. Tavenner. I can't remember if Bryan was in those 
meetings or not, but I wouldn't think they would need 
informants.
    Mr. Meadows. OK.
    Did Bryan recommend to you that the Website launch should 
be delayed because of security testing concerns?
    Ms. Tavenner. Bryan did not recommend to me that the launch 
should be delayed. Bryan did discuss in a----
    Mr. Meadows. Because he shared with the committee that he 
did. So are you sure that he did not say that we should not 
delay the launch because of security concerns?
    Ms. Tavenner. I think I need to finish my sentence.
    Mr. Meadows. My apologies.
    Ms. Tavenner. That's all right. The rest of that sentence 
is: There was a discussion about would it be possible to beta 
test or launch a few States as opposed to bringing up the 
entire FFM. And I and the team did not think that was possible.
    Mr. Meadows. And why did you not follow his advice?
    Ms. Tavenner. About the beta site?
    Mr. Meadows. Well, about delaying it.
    Ms. Tavenner. Yes. So----
    Mr. Meadows. I mean, you say ``beta site,'' I say 
``delay.''
    Ms. Tavenner. Yes.
    Mr. Meadows. But whether you're right or I'm right, why did 
you not follow his advice?
    Ms. Tavenner. Well, I didn't think that it was possible, 
the way that the FFM was configured, to do that, nor did I 
think that it was necessary.
    Mr. Meadows. OK. You shared your testimony earlier; you 
shared your resume. What part of your resume included IT 
background? Because that was his expertise. You sounded like 
you're a healthcare provider, not an IT expert.
    Ms. Tavenner. Well, I am a healthcare provider. I've 
probably become more of an IT expert in the last year. But I 
was taking----
    Mr. Meadows. But at this particular--this was in January. 
So at what particular point did your IT expert outweigh his?
    Ms. Tavenner. Actually, taking the recommendations of our 
IT expert team inside CMS, as well as our CMS contractors, who 
I felt were a lot closer to this issue than Bryan----
    Mr. Meadows. All right. So now we can look backward and 
realize that the rollout was a disaster. So what do you think 
of your IT expertise within CMS today? Was Bryan right, we 
should have delayed it?
    Ms. Tavenner. I don't know that Bryan was right. I know 
that----
    Mr. Meadows. Was he closer to right than your team?
    Ms. Tavenner. Not necessarily. I know that we have come a 
long way in our launch. And, as I said earlier, we have 7.3 
million people paying premiums across----
    Mr. Meadows. I didn't ask how many had signed up. This is 
about security, and he had a concern in January about security, 
and yet you ignored his advice. Why would that have been?
    Ms. Tavenner. Because I had my own IT team who conveyed to 
me that they were confident in the project.
    Mr. Meadows. All right.
    I yield back. I am out of time.
    Chairman Issa. If either of the other witnesses want to 
comment on the answer to the gentleman's question about, a year 
ago, was the site ready and should it have launched in 
retrospect?
    Mr. Wilshusen. Well, I would just say that, at the time it 
was launched, that CMS did accept increased risk from a 
security perspective.
    Ms. Barron-DiCamillo. Not having reviewed the data that the 
CMS IT team had, I wouldn't feel comfortable in commenting 
associated with that. I think it's important to have eyes on 
the project and be part of the team to make those decisions. 
It's very difficult as a third-party partner participant to 
make that kind of assessment without the actual knowledge and 
data.
    Chairman Issa. Well, as a former businessman, I would say 
that a site that couldn't accommodate a few hundred people 
simultaneously signing on and people waiting for weeks or 
months, security wasn't the reason that that should not have 
launched. But I appreciate that you're here on security today.
    The gentlelady from New York, a place where IT comes first 
for many of her constituents, is recognized for 5 minutes, Ms. 
Maloney.
    Mrs. Maloney. That's true. And that's true of the west 
coast, too.
    I just want to note that this is the committee's 29th 
hearing on the Affordable Care Act and the sixth on the 
Website.
    Chairman Issa. We've got two more to go.
    Mrs. Maloney. Oh, come on. Please.
    I want to focus on some very positive things, and that is 
the cost growth is slowing to historic lows. And that was one 
of the huge challenges that we confronted the whole time that I 
have been in Congress, is just the whopping cost in health care 
in our country.
    Now, contrary to some of my colleagues' claims that the 
Affordable Care Act is causing healthcare costs to skyrocket, 
there have been multiple reports recently that show that the 
growth of healthcare spending in the United States is slowing 
to historically low levels. And that is good news for everyone.
    Administrator Tavenner, earlier this year, the Centers for 
Medicare and Medicaid Services issued its national health 
expenditure report. Are you familiar with that report?
    Ms. Tavenner. I am familiar with that report.
    Mrs. Maloney. Well, the report found that national health 
spending grew by just 3.7 percent in 2012, a near-record low, 
and the fourth consecutive year of slow growth of healthcare 
costs.
    In your opinion, what factors are driving this historically 
low rate of growth?
    And I'd like the others to chime in, too, if you would like 
to add to her response.
    Ms. Tavenner. I think that we all felt it was a combination 
of things: certainly, the recession early on; but as time went 
by and we continued to see this historic low growth, I think 
some of the actions in the Affordable Care Act have made a 
difference.
    And it is an ongoing conversation I have with my actuary. 
And I think he would agree, if he were siting here with me, 
that it's both. But the Affordable Care Act has made a 
difference.
    Mrs. Maloney. Mr. Wilshusen?
    Mr. Wilshusen. I'm sorry, that was outside the scope of my 
review, so I can't really comment on it.
    Mrs. Maloney. OK.
    Any comment, Ms. Barron?
    Ms. Barron-DiCamillo. That is something that I have not 
been involved in as the Director of US-CERT.
    Mrs. Maloney. OK. Fine.
    Well, earlier this month, CMS released its national health 
expenditure projections for 2013 through 2023. And according to 
these estimates, national health expenditures grew just 3.6 
percent in 2013. Is that correct?
    Ms. Tavenner. I believe that is.
    Mrs. Maloney. This is the lowest rate of growth since the 
Federal Government began keeping such statistics since 1960. I 
would call this a very positive development in public policy. 
Would you agree, Ms. Tavenner?
    Ms. Tavenner. I would totally agree.
    Mrs. Maloney. What about the next 10 years? We're always 
looking ahead. I know CMS projects an uptick in health spending 
overall due to the large number of people who are newly insured 
through the Affordable Care Act, but what about per-enrollee 
health costs?
    Ms. Tavenner. So, going back to that report, I think the 
trend is expected to move back up, with the number of 
individuals in Medicare and others. But I think that stresses 
the importance of our success in tying together delivery system 
reform, payment and quality, and why that works is critical 
that we continue it.
    Mrs. Maloney. Well, why will they grow more slowly than 
before the Affordable Care Act?
    Ms. Tavenner. I think because of some of the measures that 
we've put in place with the Affordable Care Act, such as tying 
payment to quality, tying payment to outcome, looking at things 
such as accountable care organizations, kind of transforming 
the delivery system, which is a work in progress.
    Mrs. Maloney. Now, the Kaiser Family Foundation recently 
released an annual employee health benefit survey. And this 
report indicates that the slowdown in health spending also 
extends to employer-sponsored insurance--more good news. And 
according to Kaiser, premiums in employer-sponsored health 
plans grew only 3 percent in 2012.
    So I would like to ask you--that's tied for the lowest rate 
of growth since Kaiser started measuring the growth of employer 
healthcare plans. And is that report correct? Do you agree with 
the Kaiser report with the data you've been looking at?
    Ms. Tavenner. Yes, I've reviewed the Kaiser report, and 
employer insurance does tend to follow what we're seeing in 
Medicare and Medicaid. So yes.
    Mrs. Maloney. Well, this seems to be very good news for the 
American consumers and our overall delivery of healthcare 
service. So I'm very pleased with these reports. And what do 
they say? Numbers don't lie. And the numbers are showing that 
it's showing an improvement. So I want to congratulate you and 
your colleagues on your work to help brings this to the 
American people.
    Thank you.
    Ms. Tavenner. Thank you.
    Chairman Issa. Thank you.
    The gentlelady from California, Ms. Speier.
    Ms. Speier. Mr. Chairman, thank you.
    And thank you to our witnesses.
    First of all, I'd like to congratulate you. You have lived 
through the real-life ``Survivor'' show and have succeeded.
    I find the fact that we have engaged in the most thorough, 
repetitive review of the implementation of the ACA as an 
incredible waste of your time.
    Now, there is a lot of good news, as my good colleague from 
New York has just underscored. And it is really quite 
interesting to me that, for the longest time, there were all 
those who were panning the Affordable Care Act, saying, we'll 
never get the numbers. And then, lo and behold--and you 
announced it earlier, Ms. Tavenner, I believe--over 7.3 million 
subscribers. Correct?
    Ms. Tavenner. Correct.
    Ms. Speier. And then the hew and cry was, well, they won't 
pay for it; they'll pay 1 month, and then they won't pay any 
longer, and it will fall on its face.
    That hasn't been the case either, has it?
    Ms. Tavenner. No, ma'am.
    Ms. Speier. OK.
    So the chairman of the committee and a number of 
Republicans just sent you a letter, and I want to read it out 
loud, one segment of it.
    ``In order to enroll beneficiaries in the exchange, 
HealthCare.gov collects, obtains, and retains massive amounts 
of personally identifiable information about millions of 
Americans. This information includes Social Security numbers, 
personal addresses, income and employment records, and tax 
return records. It is extremely important that CMS and the 
other Federal agencies involved in the exchanges properly 
protect and maintain this sensitive information.''
    Now, I actually agree with that Statement, and I presume 
you agree with that Statement.
    Ms. Tavenner. Yes, I do.
    Ms. Speier. And having agreed with that Statement, have 
you, to date, had any cyber attacks that have resulted in 
personally identifiable information being stolen?
    Ms. Tavenner. We have not had any malicious attacks on the 
site that have resulted in personal identification being 
stolen. As the chairman rightfully brought up earlier, we did 
have some technical issues on the front end that we had that 
were our own doing that we had to----
    Ms. Speier. That's right. But we're in the present day, and 
let's look to where we are and where we're going. OK.
    Now, meanwhile, Target's security breach included 110 
million Americans that were potentially affected. That's 110 
million. You're certainly aware of that.
    Ms. Tavenner. Yes, I am.
    Ms. Speier. So my staff checked the U.S. Census Website, 
and it says the total population of the United States is 319 
million. So more than a third of Americans potentially had 
their personally identifiable information breached, stolen, as 
the result of that Target data breach. But, strangely, there 
wasn't any interest by this committee to have a hearing on 
that, affecting potentially a third of the American people.
    Let's see, 110 million people affected and no hearing; zero 
people affected, and we've had dozens of hearings. It seems 
like our priorities are not quite on what the American people 
would be interested in.
    Now, we do know, as a result of Target, that the hacking 
came from outside this country. It appears it came from Russia 
or from some region near there. And rather than trying to find 
out where these hackers are coming from and how we can 
forestall them, we're going to waste more of your time asking 
you a number of questions about issues that haven't even 
impacted.
    Now, some would say, well, except that's a private 
business. Well, how about USIS? USIS has a contract with the 
Federal Government. It does security checks. And 27,000 people 
have had their personal information stolen from USIS, a Federal 
contractor. And have we had a hearing on that? Nope. It appears 
that's not important either.
    So I want to just commend you all for recognizing that you 
have to do this no matter what, come to these committee 
hearings. You do it with great respect, and we appreciate that. 
I hope we can send you back to do work that the American people 
would like you to do.
    And I yield back.
    Chairman Issa. We now recognize the gentlemen from Maryland 
for 5 minutes.
    Mr. Cummings. I want to thank all of you for being here 
today as we come to the end of this hearing.
    I'd just--you may--Ms. Tavenner and others, you may never 
hear the full thank-yous of people who are going to stay alive 
because of what you and your colleagues have done. And I really 
mean that. There are people--there's a mother who is now going 
to be alive, that may have been suffering from cancer, breast 
cancer, like a lady in my district, couldn't get treatment, but 
she's alive. She got treatment.
    I have a sister that does a lot in the area of breast 
cancer, and they were waiting--they had women who had been 
tested, and they were waiting for the Affordable Care Act to 
pass and to come into effect so they could get treatment. I 
have come to you today and to your colleagues to thank you.
    I tell the story that, when the Affordable Care Act came 
up, I had one prayer. I came to the floor early. I sat on the 
front row, and I had one prayer. I said, ``God, do not let me 
die before I vote for it.'' And the reason why I said that is 
because I've seen so many people who were sick and could not 
get well.
    You know, Johns Hopkins is smack-dab in the middle of my 
district--a great hospital, one of the greatest in the world. 
People fly from all over the world to come to Johns Hopkins. 
And there are people standing on the outside, could not get in, 
but the treatment was in there.
    And so, you know, I know your colleagues are looking on, 
and I just don't want--I know they have been through a lot.
    And I remember when we had the Website problem, and many 
were saying, oh, we can never get through this, oh, you know, 
this is just so horrible. And everybody was warning that 
everything would collapse. But you know what I said? This is a 
can-do nation. This is a can-do nation. And we need to 
definitely do when it comes to the health of every single 
American.
    And I listened to what you said a moment ago about how, day 
after day, you worry about making sure that people's 
information is protected. We could not pay you enough or pay 
your colleagues enough to go through what they have been 
through and to worry as you have worried and to do everything 
in your power to be protective of the American people. And, 
yes, you're going to be criticized. Yes, folks are going to try 
to say all kinds of things about you. But I have come here at 
this moment to simply say thank you. Thank you for my 
constituents. Thank you for constituents--our constituents all 
over this country.
    And, you know, sometimes I think about illness, and a lot 
of people--I wonder if people have not been ill themselves when 
they see other people in the position of getting sick or sicker 
and dying. I wonder whether or not they have ever been ill. And 
that troubles me because--I think President Obama said it best, 
and I wish I had coined this phrase myself. He said, sometimes 
we have an empathy deficit--an empathy deficit.
    And so I take just a moment to thank you and just have just 
a few questions.
    I'd like to ask you about the attack by the hackers last 
summer against HealthCare.gov. It is my understanding that this 
attack was not limited to HealthCare.gov alone but included a 
broader universe of targets. Is that right?
    Ms. Barron-DiCamillo. So based upon the analysis that our 
team did, it was a typical kind of malware that's dropped for 
denial-of-service attacks. So, basically, they were trying to 
create a node and a botnet to use for denial-of-service 
attacks. So, yes, they look at resource servers like this to 
use them for those types of attacks.
    Mr. Cummings. And the hackers were able to place malware on 
a server, but it was a test server that did not have any 
personal information. Is that correct?
    Ms. Barron-DiCamillo. Based upon the analysis that our team 
did, it was a test server that was deployed with its out-of-
the-box configuration, meaning that the password--the default 
password hadn't been updated.
    Mr. Cummings. I just have two more questions.
    As I understand it, the type of malware at issue is called 
denial-of-service----
    Ms. Barron-DiCamillo. Uh-huh.
    Mr. Cummings [continuing]. Malware, which is designed to 
slow down or even shut down the system but not extract 
information. Is that right?
    Ms. Barron-DiCamillo. Correct. The malware is to use the 
resource of the server as part of this botnet. And so it wasn't 
targeting the server; it was using the resource of a server as 
part of the botnet for another victim.
    Mr. Cummings. And so how common are these kinds of denial-
of-service malware attacks?
    Ms. Barron-DiCamillo. I'm sorry?
    Mr. Cummings. How common are they?
    Ms. Barron-DiCamillo. They're very frequent. They happen 
every day across the globe on the Internet.
    Mr. Cummings. So the bottom line is, at least as of now, no 
personal information was transmitted outside the agency. Is 
that right?
    Ms. Barron-DiCamillo. Correct. The breach was discovered by 
CMS. It was alerted to us. We looked at the images that were 
provided. There was no exfiltration of data. There was no loss 
of PII due to the segmentation of the network. This is a test 
network separate from the production network. So there was no 
lateral movement into the production network associated with 
this activity.
    Mr. Cummings. All right. Thank you.
    Ms. Barron-DiCamillo. Thank you.
    Chairman Issa. Well, I guess--I've still got more 
questions, but let me just make some Statements, and then I'll 
ask a couple more questions.
    You know, Ms. Speier has left, and it's unfortunate because 
Mr. Lynch was here earlier, and when this was all being said 
about when are we going to hold all kinds of hearings, they 
forgot to mention that there's a committee that Mr. Lynch 
belongs to, the Financial Services Committee, and they've held 
hearings because they oversee the financial community, meaning 
Home Depot, Target, these other companies they're referring to. 
Those fall under that committee's primary oversight because 
these were financial-transaction-related.
    My staff also mentions that the Federal Trade Commission, 
the Department of Justice, the CFPB, and the FDIC also are 
looking into each and every one of those.
    So, with tens of millions of dollars, countless agencies 
and individuals looking at each of these, the question is, Ms. 
Tavenner, who's been looking at you?
    Mr. Wilshusen, in a nutshell, one of the things that you 
said at the beginning was they didn't have strong passwords, so 
somebody could put in a short password and not change it. Is 
that correct?
    Mr. Wilshusen. That's correct. We identified several 
technical security control weaknesses with HealthCare.gov and 
its supporting systems.
    Chairman Issa. So somebody who didn't change the password 
created a huge vulnerability, particularly if they had a high 
level of access. Is that right?
    Mr. Wilshusen. If they used a weak password that could be 
easily guessed, that would be an increased risk.
    Chairman Issa. So ``Marilyn'' and her birth date, if that 
were used, would have been easy to guess, certainly would have 
been tried.
    Did they have advanced lockout systems in detection and 
reporting?
    Mr. Wilshusen. One of the things--I don't want to get too 
detailed into the types of security controls so we don't give 
any information----
    Chairman Issa. Yes, we don't want to tell how weak it still 
is. I understand that, so I'll be a little bit careful on that. 
But there are techniques that, if they were in place, would 
have been much more secure.
    Mr. Wilshusen. Sure. And the weaknesses that we identify 
are all--can be corrected and resolved almost immediately.
    Chairman Issa. So what you found a year into this site was 
they were not using best practices.
    Mr. Wilshusen. We identified several weaknesses that 
increased risk and unnecessarily increased preventable risk.
    Chairman Issa. We pay a huge premium for CIOs, Senior 
Executive Service. We, the Congress, have authorized special 
high pay, a quarter of a million dollars and more, to get 
certain people with special expertise. And we've had some of 
them before this committee.
    You're telling us, a year into this site, they simply have 
not put in what people would consider best practices in some 
cases, such as a requirement for a strong password and periodic 
changing of them and a lack of redundancy on passwords--common 
things that protect sites, right?
    Mr. Wilshusen. Yes, those things should be done. Yes.
    Chairman Issa. You know, what's amazing is Target and Home 
Depot had those kinds of protections, but there was a malicious 
attack from a foreign nation with advanced tools, some of those 
tools being exactly the tools that our CIA and NSA use to go 
after the worst of the worst, and we succeed all the time.
    So what I'm finding here today is that everyone wants to 
talk about organizations that employed, in many cases, best 
practices, that did their best, and then were targeted by very 
advanced networks, criminal networks, networks that may even 
have had the KGB's successor helping them hack. And they want 
to talk about those rather than a lack of commonsense, simple 
practices to secure a Website. Isn't that true?
    Mr. Wilshusen. I would say that probably the majority of 
Federal incidents that occur within the Federal Government 
could be resolved, perhaps prevented, if agencies would 
practice strong cybersecurity. There's always going to a risk 
that you come across an entity, a foreign intelligence service 
that has very sophisticated techniques that may be difficult to 
protect against, at least to prevent. But, by and large, many 
security incidents could be corrected and prevented if the 
agencies practiced strong security controls.
    Chairman Issa. Now, even without seeing the 13 compromises 
that occurred, you were able to make, and CMS accepted, a lot 
of suggestions that are improving the site here today.
    Mr. Wilshusen. Yes. We've looked at the security controls 
over those devices that we looked at and identified 
vulnerabilities that could be corrected. And CMS concurred with 
each of the 22 technical recommendations that we're making.
    Chairman Issa. So all of the talk about this robust team, 
all of those experts brought in from Silicon Valley, special 
people that worked on the President's reelection, all those 
people had missed those 22 points.
    Mr. Wilshusen. That I can't answer in terms of----
    Chairman Issa. Well--but when suggested these, did they 
say, oh, we were already doing them, we just forgot? Or did 
they say, we weren't doing them and now we will?
    Mr. Wilshusen. I would just say that we identified them 
during the course of our review, and they've accepted our 
findings and indicated that they will implement our 
recommendations.
    Chairman Issa. You're very kind.
    Ms. Tavenner----
    Mr. Meadows. Would the gentleman yield for just one quick 
point?
    Chairman Issa. Of course.
    Mr. Meadows. A lot has been talked about in terms of the 
different sites and Home Depot and Target. And I was one of 
those that shopped at Target, and I have a new credit card 
today.
    There are two distinct differences. One is I'm not 
compelled by law to shop at Target. I am compelled by law to 
sign up for Obamacare. There's a huge difference.
    Mr. Chairman, what happens is that those are voluntary 
transactions, of which I don't have to give my Social Security 
number to them. I give them a credit card, and I do a 
transaction. It's very different for HealthCare.gov.
    I thank the gentleman.
    Chairman Issa. That's very true. I thank the gentleman.
    We now go to the gentlelady from New Mexico, who has 
arrived, for a round of questioning.
    Ms. Lujan Grisham. Mr. Chairman, thank you very much for 
recognizing me.
    And I want to thank the panel here today.
    And I share many of my colleagues' concerns that we should 
be doing the very best to protect information. And, certainly, 
we've led in the private-sector world, with HIPAA and related 
requirements, on security protections and working diligently 
and tirelessly to make sure that patient protection, patient 
privacy, and now financial information must be protected.
    And I think that the point is important that every person 
must sign up and be insured through the Affordable Care Act. 
And I want to just read this because I think it bears--in the 
context of this hearing, I think it bears repeating.
    So, in GAO, in the March 2013 report, found that the 
Federal Government continues to face cybersecurity challenges, 
including designing and implementing risk-based cybersecurity 
programs at Federal agencies, establishing and identifying 
standards for critical infrastructures, and detecting and 
responding to and mitigating cyber incidents.
    And, since that report, we've got 28 GAO additional 
recommendations that I know that we've been talking about today 
in this hearing.
    In fact, GAO has designated Federal information security as 
a high-risk area in the Federal Government since 1997. And I 
think that there isn't anyone in this committee or anyone in 
Congress or the public that doesn't think that more should be 
done and that, in fact, that we embrace every potential 
positive, productive, professional recommendation moving 
forward.
    And so, given that, Ms. Tavenner, knowing that the upcoming 
November open enrollment period is coming for millions of 
Americans who will be shopping on the exchanges, how prepared 
are you to take these 28 recommendations and others to assure 
protection?
    Ms. Tavenner. Yes, ma'am. Let me start with the 22 
technical recommendations. Nineteen of those have been 
resolved, fully mitigated, or will be further reviewed prior to 
open enrollment. So those will be handled. Of the six other 
recommendations, we are in the process of either completing--
have completed those or will complete those prior to open 
enrollment.
    Ms. Lujan Grisham. And based on the 19 that you have 
identified, Ms. Tavenner, and the remaining measures to 
implement, you are confident that not only are they implemented 
but they're tested and will have, to the greatest degree--I 
mean, I might disagree with some of my colleagues, that we can 
do everything in our power, and those hostile, those negative, 
those who intend us harm and intend to access that information 
for their own gain will find ways to do that. I want to make 
sure that we are doing everything that we know that mitigates 
and prevents and gives us the opportunity to also detect when 
there has been a problem.
    You're confident that these will be tested and in place by 
the open enrollment period?
    Ms. Tavenner. I am confident. But we will never quit 
continuing to try to improve the process. Our work with the 
Department of Homeland Security, our work with GAO, OIG will 
always be looking for improvements.
    Ms. Lujan Grisham. I appreciate that. And given that we 
know we are working on another issue in my State, I appreciate 
your attention to that and your coming.
    Mr. Chairman, we're working a behavioral health issue. For 
me, it all ties to making sure that consumers have confidence 
that they're protected in a way that CMS is responsible to 
protect those citizens, that they are clear that your 
responsibility and oversight is paramount to the work that you 
do, and that the access to health care is only as good as 
making sure that the information and the protections that are 
required by law are, in fact, in place and that they can go to 
CMS when there is a problem and have that resolved objectively 
and appropriately.
    And I really appreciate your attention to all those 
matters.
    Ms. Tavenner. Thank you.
    Mr. Cummings. Would the gentlelady yield?
    Ms. Lujan Grisham. I yield.
    Mr. Cummings. Ms. Tavenner, I just want to make sure that I 
understood what you just said, that--and I agree with every 
word that my colleague just said. But you're saying that there 
are six recommendations left. Is that right?
    Ms. Tavenner. There were six major--and please correct me, 
Greg, if I get any of these wrong--there were six major 
recommendations. And we're in the process of completing those, 
and some of them are done. And the answer to those is all of 
them would be done prior to open enrollment.
    Mr. Cummings. And open enrollment starts when?
    Ms. Tavenner. November 15th.
    Mr. Cummings. So we can--can this committee--would you let 
us know officially when they are done?
    Ms. Tavenner. Yes, sir. I think----
    Mr. Cummings. To the chairman and myself? I'd really 
appreciate that.
    Ms. Tavenner. Yes, sir.
    Chairman Issa. If the gentlelady would further yield?
    The earlier report we had is you didn't agree to all six, 
but you agreed to three out of the six. You now will agree and 
complete all six?
    Ms. Tavenner. So I think in some of them we partially 
concurred, but we're getting the work done, whether we totally 
agreed or not.
    I think there were some things--for instance, there was a 
different description of how we did security testing versus 
what GAO wanted. That wasn't an action we would change, but we 
understand where they're coming from. We just have a different 
way of getting the security testing done.
    The rest of these, things such as the privacy impact 
Statement, we will have that done. That was a documentation 
issue. The computer matching agreements with Peace Corps and 
OPM, we agreed with that, and we'll get that in place prior to 
open enrollment. Also a security agreement governing Equifax, 
we agreed with that; we'll complete that.
    Of the 22 technical recommendations, 19 we have already 
done, the others we're reviewing. And I'll be happy to do 
something in writing back to the chairman and to the ranking 
member.
    Chairman Issa. I think we both would appreciate it.
    Ms. Tavenner. All right.
    Chairman Issa. The gentlemen from North Carolina?
    Mr. Meadows. I wanted to followup on one thing, Ms. 
Tavenner. And, really, as we start to focus on some of these 
other issues, it takes our eyes off of the core issue, and 
that's what the ranking member was talking about, is providing 
health care really to the American public. And that is your 
primary responsibility. I can tell that you take that 
seriously.
    It is a distraction, to say the least, when we have a 
billion dollars spent on a Website that doesn't work, security 
issues that are there. But along that same time, there was a 
rule that came out with regards to Medicare Part D in January, 
a rule that really would limit some of the options of our 
seniors, a rule that you came, much to your credit, and said we 
are not going to do. And I want to say thank you for doing that 
on behalf of millions of senior citizens who would have seen 
choices limited.
    Do I have your assurances here today that we are not going 
to put forth a rule that is similar in nature to that rule that 
was brought back? I very rarely have an opportunity to have you 
in a public forum under oath. And so, on behalf of millions of 
Americans, do I have your assurances that we are not going to 
do it?
    I think you made a good decision. My mom, who is a senior 
citizen, thinks that you made a good decision. So do I have 
your assurances that we will not see a similar rule?
    Ms. Tavenner. I am not interested in bringing back the 
pieces that we pulled.
    Mr. Meadows. OK. That is a good almost answer. So do you 
have your----
    Ms. Tavenner. Well----
    Mr. Meadows [continuing]. Assurances, yes or no?
    Ms. Tavenner. You have my assurances that I won't bring 
back the things I just pulled. How about that? I don't have the 
whole----
    Mr. Meadows. Or something similar.
    Ms. Tavenner. Or something----
    Mr. Meadows. Let me tell you the reason why. And it gets 
back to--CBO indicates that much of the reason it is working so 
well is the competitive nature that we have. I mean, that is 
what the study says. And yet we are going to limit competition. 
We are going to limit options for our seniors--some cancer, 
some antidepressants, some antiepileptic. These are serious 
things.
    And so you and I can banter back and forth, but really what 
I need is, on behalf of the American people, your assurances 
here today that that is not going to happen.
    Ms. Tavenner. Now you are bringing in specifics. I am not 
interested in bringing back the drug categories, if that's the 
question. I am not interested in bringing that back.
    I am interested in promoting competition, promoting private 
market. And I think we have tried to do that with the 
marketplace rules, as well. So we would continue to work----
    Mr. Meadows. So we are not going to limit competition, and 
we are not going to narrow what people can get.
    Ms. Tavenner. That would be my preference, yes, sir.
    Mr. Meadows. That's your assurance?
    Ms. Tavenner. That's my assurance.
    Mr. Meadows. All right. Thank you.
    I yield back.
    Chairman Issa. Could you yield to me?
    Mr. Meadows. Sure. I would be glad to.
    Chairman Issa. Briefly, item four from the GAO says, 
``Perform a comprehensive security assessment of the FFM, 
including the infrastructure platform and deployed software 
elements.''
    Now, initially, that was one you said ``no'' to. Are you 
saying you will perform that full system-wise test and have it 
done by November 15th? Because that's sort of the one that GAO 
couldn't--we can't know what we don't know until you do that. 
Is that right?
    Ms. Tavenner. I think we get into a discussion of style 
here. It is our intention--and we will complete a full, end-to-
end assessment, security assessment, prior to open enrollment, 
yes, sir. That is scheduled for later this month or October.
    I think where we got into a different conversation had to 
do with infrastructure and platform in our definitions, but I 
think our intentions are the same.
    Chairman Issa. Why don't we let--Greg, if you would give us 
the rest of that.
    Mr. Wilshusen. Right. As long as the tests that they 
perform include how the applications interface with the 
operating platforms--and the infrastructure to look at it in 
totality is going to be critical. Because certain 
vulnerabilities on levels or layers of the security could 
affect the security of the other components of it because there 
are a number of components involved with this Website and its 
supporting systems and a number of different entities involved 
with their operation----
    Chairman Issa. And so, for the layperson out there, would 
it be fair so say that, for example, when software opens a 
portal on a particular piece of equipment that that can create 
a vulnerability in one type of hardware that it wouldn't in 
another, that that's the kind of thing--that they have to look 
at the actual hardware they are using, what it interfaces with 
and so on. Isn't that right?
    Mr. Wilshusen. To include looking at the firewalls and the 
routers and switches that support it, as well as the operating 
systems and how they're being configured, yes, sir.
    Chairman Issa. And, I presume, any remote access devices, 
any VPNs, any of that, would be part of it. Because all it 
takes, if I understand right, is one PC that has a VPN 
connection that isn't in the software, but once you put it in, 
it can create a separate vulnerability, right? And that's what 
you're looking for.
    So if I saw the heads nod--and I like that--the two of you 
are going to--one of you is going to come back to the ranking 
member and myself if this agreement that you're going to do 
that by November 15th doesn't happen. Is that right? Maybe both 
of you.
    Mr. Wilshusen. I would be willing to work with your staff 
to do some follow-on----
    Chairman Issa. I think that's all that Mr. Cummings and I 
would like to know, is that since you're shaking your heads and 
smiling now, that if that stops between now and November 15th, 
one of you will tell us.
    Mr. Wilshusen. Yes, sir.
    Chairman Issa. Mr. Cummings?
    Mr. Cummings. I mean, I'm going to encourage you to do 
that. Just do it, please.
    Ms. Tavenner. We will do that.
    Mr. Cummings. And I'm not trying to be smart. I mean, Ms. 
Tavenner, I know that--and all of you--I know you're trying to 
do what is in the best interests of the American people. I 
understand that. But it seems as if what we want is the highest 
level of best practice.
    Am I right, Mr. Chairman? The highest level.
    Chairman Issa. Absolutely.
    Mr. Cummings. And, Ms. Tavenner, I couldn't help but--when 
I was thanking you on behalf of my constituents, I could see a 
tear come up in your eye. And, you know, so often I think 
Federal employees--a lot of people don't realize that a lot of 
our employees, most of them, are not in government for the 
money. They're in it--and I have people coming trying to work 
for our committee all the time who are willing to take 
reduction of salaries from the private sector because there's 
something about this that feeds their souls, something about 
lifting up the public and making their lives better.
    And so, to all of you and to all of the Federal employees 
who may be listening out and the ones behind you, Ms. Tavenner, 
and all the ones that may be in the audience and up here, I 
just want to thank you very much.
    Thank you.
    Chairman Issa. Thank you.
    And I understand the gentlelady from New Mexico--did you 
have any followup questions, Ms. Grisham?
    Ms. Lujan Grisham. Mr. Chairman, I don't. I was thanking 
you. And I appreciate both the leadership of the chairman and 
the ranking member to assure that we get feedback. And they 
represented very effectively all of my concerns and points. So 
thank you very much for your leadership.
    Chairman Issa. Thank you.
    I've got a couple very quick wrap-ups that came out of 
these. And big smile because we're nearing the end.
    There was a question about more people being insured. And I 
just have to ask, is Medicaid insurance?
    Ms. Tavenner. In my opinion, Medicaid is insurance for 
sure.
    Chairman Issa. So----
    Ms. Tavenner. But that was not part of what I was----
    Chairman Issa. But the actual level of insurance under 
Medicaid that was talked about, it's Medicaid insurance. That's 
what's lowering the number of uninsured, is Medicaid.
    Ms. Tavenner. Plus the marketplace. Both are lowering that 
number.
    Chairman Issa. Which is then subsidies, primarily.
    Ms. Tavenner. So----
    Chairman Issa. The actual number of people who are 
receiving unsubsidized health care has gone down. Is that 
right?
    Ms. Tavenner. You know,--and I don't have all the reports 
in front of me, but, actually, the number of people insured off 
the exchange without subsidy is also rising. I don't have the 
latest private insurance. Private insurance had a negative 
trend that had been going on for the last 10 years. That seems 
to have kind of stabilized out. If you add Medicaid and you add 
the marketplace exchange with or without subsidy, I think 
that's what you're seeing----
    Chairman Issa. Sure.
    Well, the reason is that--those questions led to this, sort 
of, feeling that everything was better, but isn't it true that 
the Medicare trustee Charles Blahous--or ``Blahous''--he 
projected that by 2021 the impact of the Affordable Care Act 
will be a $346-billion to $527-billion increase in the deficit, 
essentially because the government is going to pay that 190 
percent for Medicaid, the government is going to provide those 
subsidies. And the government is, in fact, the taxpayer. So the 
deficit will rise based on the money that buys that insurance. 
Is that true?
    Ms. Tavenner. I am not familiar with that report.
    Chairman Issa. OK. But the government is--general tax 
revenues are, in fact, paying for these subsidies and for 
Medicaid. It doesn't come out of a trust fund. Medicaid is 
ordinary income tax. Is that correct?
    Ms. Tavenner. I'm sure that you know that, Mr. Chairman. I 
don't----
    Chairman Issa. For the record, Medicaid is paid out of 
income tax, and much of Medicare is paid out of income tax. The 
trust fund, when we talk about it, pays only a small part of 
what our seniors reflect.
    Now I have really the final question, and it's one that 
deeply concerns me. And it wasn't the main topic today, but 
it's right in your lane.
    On May 15th, you projected 8 million as an enrollment 
number. August, it's now 7.3 million. What happened to that 
700,000 to 800,000 people? Why was there such a precipitous 
drop?
    Ms. Tavenner. So the 8 million individuals--and I think 
that number was after the end of open enrollment--had signed 
up. And I think, during the course of the next several months, 
individuals may have either gotten employer-sponsored 
insurance, they may have found out they were eligible for 
Medicaid instead of the marketplace, and some individuals may 
have decided not to go forward and pay.
    I think there was always----
    Chairman Issa. Well, that's a great question. And the 
reason I asked that question is, you know, people were 
asserting that signing up meant nothing and paying meant 
everything.
    How much of that 700,000-plus drop were people who did not 
pay? Or do you know?
    Ms. Tavenner. I don't know that information.
    Chairman Issa. Wouldn't it be all of those people did not 
pay?
    Ms. Tavenner. I don't think we'll know that till the end of 
the year. And then we will probably----
    Chairman Issa. Well, let me ask the question a different 
way. Because, you know, I am an old businessman. People signed 
up; they were, therefore, insured. Is that correct? They 
enrolled; they were insured.
    Ms. Tavenner. These were people who signed up for a plan. 
But, in order to get insured, you had to make a payment.
    Chairman Issa. Well, no. They were insured right away, and 
then, if they didn't make the payment, they went off.
    Ms. Tavenner. Within 90 days, right.
    Chairman Issa. So they basically got a free ride; 700,000 
people got a free ride. They had coverage, and if something 
catastrophic happened, they could make a payment. And if 
something catastrophic didn't happen, they could just let it 
drop.
    Ms. Tavenner. I don't think we know that information.
    Chairman Issa. Oh, no, this is a structural question that I 
know you must know or the technical people behind you must 
know.
    If 8 million people sign up--let's just say 8 million 
people sign up, and not the 700,000 who dropped, but let's just 
say 50 people out of 8 million had a health event, and they 
weren't going to pay, they just signed up on a lark because 
it's a free ride to sign up, but then they had a health event, 
did they get to go to the doctor during that 90 days because 
they had signed up and hadn't yet paid?
    Ms. Tavenner. Yes.
    Chairman Issa. So the system as it is today is an 
incredibly easily gamed system, if I understand correctly. 
Three hundred and 16 million Americans could all sign up and 
get 90 days worth of free insurance, and if nothing happens, 
there's no downside to their just letting it lapse by not 
making a payment. Is that right?
    You don't done them. You don't go after them. You don't 
followup. You don't sue them for the coverage they had but 
never paid for, do you?
    Ms. Tavenner. Which, I think, is why it's important to know 
that, as of August, 7.3 million were making their payments and 
were still continuing the insurance----
    Chairman Issa. So 7.3 million people may have made small 
payments because they were highly subsidized or larger payments 
because they weren't. Are you prepared to release those figures 
anytime soon so we understand, of the 7.3 million, how many of 
them, if any--well, there would be some--were completely 
unsubsidized, how many were partially subsidized, how many were 
substantially subsidized?
    Ms. Tavenner. Yes, we will have that information. And as 
soon as we have it, we will release it. But, yes, we will be 
able to talk about numbers.
    Chairman Issa. Estimate of when?
    Ms. Tavenner. I don't have an estimate, but I'm happy to 
get that for you.
    Chairman Issa. OK.
    Being an old businessman, I must admit that giving people 
90 days free and no retrospective look to find out whether, in 
fact, they were maybe dual-insuring, maybe just signing up for 
a lark, to me, means that your initial figures are of no value 
and that people should be cynics and say we don't know how many 
people have signed up.
    But next year, starting November 15th, I'm presuming that 
if GAO is going to estimate the signups, they are going to be 
able to only use--that if you get 8 million again, they can 
assume that 7.3 is the net number, right?
    Ms. Tavenner. I think 7.3 is a really strong number. And I 
would remind you that those individuals who sign up and get tax 
credits still have a reconciliation process next April. Right?
    Chairman Issa. Yes, we're looking forward to that part to 
see if there's a clawback.
    My parting question: This committee held a hearing on the 
issue of over $15 billion owed to the American people by the 
State of New York for excess payments in violation of the law, 
in violation of CMS maximums. That falls under your watch. Have 
you done anything to reclaim that $15 billion?
    Ms. Tavenner. Yes, sir, we have. We initiated----
    Chairman Issa. And have you gotten any of it back?
    Ms. Tavenner. We recently initiated that. I don't think we 
have gotten any of it back yet, but we sent the--basically the 
request for recovery.
    Chairman Issa. You've made a request for recovery.
    Ms. Tavenner. We follow our normal process.
    Chairman Issa. Do you have the authority to simply 
withhold, the way you would to a private entity? You know, if 
I'm a doctor and I overbill $15 billion or maybe some minor 
amount less than that if I'm less hardworking, the first thing 
you would do is would cutoff payments for services, right? You 
simply wouldn't send them a penny.
    You're sending millions or billions of dollars to New York 
every month, aren't you?
    Ms. Tavenner. So I can brief you or your team on this in 
some detail. Initially, what we would do, whether it's a doctor 
or an entity or whatever, is we ask them how they would like to 
repay us. And we normally----
    Chairman Issa. I wish that were true.
    Ms. Tavenner. I think that----
    Chairman Issa. I've had too many healthcare entities who 
make it very clear, your people come in, you make a 
determination, the moment you make a determination they 
basically have to quit their practices and go into an appeal 
process, and in the meantime they're not receiving a penny, and 
you claw back.
    So do you want to State that in a way that the private-
sector people don't call me up and say, how did you let her say 
that you give people lots of time and ask them how they'd like 
to repay it?
    Ms. Tavenner. Well, and I think you know I was on that 
private-sector side for quite a period of time. And so if there 
is a question of overpayment, yes, CMS will make you aware of 
an overpayment situation----
    Chairman Issa. And then claw back real fast.
    Ms. Tavenner. Unless you want to pay them up front, in 
which case----
    Chairman Issa. If you're able to write a $15-billion check, 
they won't deduct from the revenue.
    Ms. Tavenner. Right.
    Chairman Issa. Is New York prepared to give you a $15-
billion check?
    Ms. Tavenner. I can't speak for New York.
    Chairman Issa. But right now New York and perhaps others 
owe the American people money from excess payments, and they're 
not being treated the way private sector is being treated. 
They're being treated a little bit with kid gloves. Fifteen 
billion is a lot of money.
    Ms. Tavenner. Actually, we went through the first year, and 
we made a request or demand for the money. And I'm happy to 
brief your staff on that.
    Mr. Meadows. Will the gentleman yield?
    Chairman Issa. Of course.
    Mr. Meadows. You have hit on an area that we have had a 
number of hearings already with regards to RAC audits. And I 
would implore you to treat New York the same way you're 
treating the constituents in my home State of North Carolina. 
Because very quickly what you do is you put private companies 
out of business because you deny the claim and you say, you 
either pay up or you go home.
    And if you're not going to treat New York the same way you 
treat North Carolina, I've got a real issue with it, Ms. 
Tavenner.
    Ms. Tavenner. So we would treat New York the same way we 
treat every other State. And----
    Mr. Meadows. Well, no, I'm talking about government versus 
private.
    Ms. Tavenner. We would treat----
    Mr. Meadows. Because I'm talking about private companies.
    Ms. Tavenner. I'm sorry. We would treat New York the same 
way we would treat anyone who owes us funds.
    Now, New York--I just got this information from my staff--
has appealed this decision, which is the same option that 
anyone has.
    Mr. Meadows. Right. And a private company, when they 
appeal, the answer is the same: Pay up in 5 years or go out of 
business.
    Ms. Tavenner. I understand.
    Mr. Meadows. I mean, the statute says 60 months. I know it 
very well.
    Ms. Tavenner. I know. We have treated States the same way 
we treat providers.
    Mr. Meadows. All right. So they are going to have to pay up 
within 60 months, New York?
    Ms. Tavenner. I'm happy to get you information. I just 
don't have it in front of me. But we treat----
    Mr. Meadows. All right.
    I yield back. Thank you, Mr. Chairman.
    Chairman Issa. I thank you both.
    And we'll go to the ranking member.
    And I appreciate your staff's assistance. Because although 
it's an issue that you know is never going away before this 
committee, it wasn't the main subject for today.
    Mr. Cummings?
    Mr. Cummings. I want to go back to the 7.3 million people 
who paid their premiums and, I guess, around 700,000 who did 
not. There are all kinds of reasons, I guess, why people may 
not pay their premiums, and a lot of people in our society are 
still struggling with all kinds of things.
    You talked about a reconciliation process. Can you talk 
about that for a moment?
    Ms. Tavenner. The way that it works is individuals--the 90-
day grace period is set up to give individuals an opportunity 
to pay. At the same time, they start to receive tax credits. 
These tax credits are reconciled the next year on their income 
tax returns. If people have underpaid on their APTC, then they 
are likely to get a tax credit back. If they have overpaid, 
meaning if they've received a higher APTC than intended based 
on their income, they may owe the Federal Government back. And 
that's part of the partnership we have with IRS.
    I don't think that the 700,000 is--in fact, I was very 
pleased to know that we have payment levels of 90 percent. This 
is a brand-new program. This has never been done before. I 
think by the end of 2014 and as we start to look back on 2014 
we'll understand the circumstances. I expect, in some cases, 
they may have moved. They may have gotten married. They may 
have gotten insured. They may have lost their income and gone 
on Medicaid or into the uninsured ranks. We will only know that 
as we do a lookback. And we're careful not to look back too 
early.
    Mr. Cummings. And these are not necessarily people trying 
to game the system.
    Ms. Tavenner. No, sir.
    Mr. Cummings. I mean, I see folks every day that they're 
still being informed as to what the Affordable Care Act is all 
about----
    Ms. Tavenner. Right.
    Mr. Cummings [continuing]. And trying to make it--one 
singer says, ``Working 9 to 5 just to say alive.''
    Ms. Tavenner. That's right.
    Mr. Cummings. But in my district sometimes they're working 
two jobs just to stay alive. And so they're struggling trying 
to manage all this information, trying to do the best they can 
to take care of their families, and many of them going through 
some very difficult circumstances.
    Ms. Tavenner. That's right.
    Mr. Cummings. All right. Thank you very much.
    Ms. Tavenner. Thank you.
    Chairman Issa. The gentleman from Virginia, normally the 
first to arrive. We've just finished round three and the close. 
Would the gentleman have some questions?
    Mr. Connolly. I thank the chairman.
    Chairman Issa. The gentleman is recognized.
    Mr. Connolly. I was on the House Foreign Affairs Committee 
with the Secretary of State. Forgive me for being late.
    Chairman Issa. Well, I'm sure the questions there were 
provocative, so----
    Mr. Connolly. Yes.
    Welcome, to the panel.
    Mr. Wilshusen, would it be unreasonable of us to suggest 
that no company, no government, no individual should feel 
entirely secure and safe in the digital age?
    Mr. Wilshusen. I would say if you're referring to use of 
online transactions on the Internet and the like, that there 
are certainly risks associated with that, just given the 
weakness in the nature of the Internet as well as the 
competency and prevalence of hackers who might wish to exploit 
those weaknesses.
    Mr. Connolly. The issue of securing public and private 
information systems, I assume, is not something unique to the 
Affordable Care Act implementation.
    Mr. Wilshusen. No. It's an issue for any computer system 
operated by any agency, any organization. There is always a 
need to protect that information. And, certainly, as we 
mentioned earlier, you know, within the Federal Government, GAO 
has been identifying Federal information security as a 
governmentwide high-risk area since 1997.
    Mr. Connolly. Right. Since 1997.
    Mr. Wilshusen. Yes, sir.
    Mr. Connolly. Two administrations ago.
    Mr. Wilshusen. Probably.
    Mr. Connolly. Right.
    Ms. Tavenner, hello, and welcome to our committee----
    Ms. Tavenner. Thank you, sir.
    Mr. Connolly [continuing]. I think. It may not have been 
entirely a felicitous beginning of this hearing, but I welcome 
you. And thank you for your work.
    But let me ask you a question. One of the things we hear 
about the rollout of the Website in retrospect is that the 
coordination of IT management is disparate, not always focused, 
and perhaps was seen as a technical issue while, you know, CMS 
and the Department of Health and Human Services were focused 
on, sort of, the bigger picture and the reforms getting in 
place and the pieces finally fitting into the mosaic, and maybe 
this got short shrift. And it turned out to be the achilles 
heel. And the whole enterprise was at risk because of this 
failure, which was a technology issue.
    In looking back on it, what lessons did you learn as a 
manager? And is there some validity to that critique, from your 
point of view?
    Ms. Tavenner. Yes, sir, I think there is some validity to 
that critique. And some of the lessons learned and changes that 
we've made early on in year 1 but definitely for year 2 is we 
needed a systems integrator. We needed someone to help with the 
coordination. We needed a clear point of accountability. We 
needed better communication. And you're right; there was 
probably more time spent on the nontechnical components, and we 
didn't realize the technology was as difficult as it was.
    So those were lessons learned. I think we've put changes in 
place. We are very, very happy with the number who signed up. 
We have--year 2 is going to be an equally hard year. It won't 
be perfection; it will be greatly improved. And we're looking 
forward to finding some more uninsured and helping folks get 
coverage.
    Mr. Connolly. Thank you. Thank you for that candid 
response.
    Final question, Mr. Wilshusen: Are you familiar with the 
bill that the chairman and I have coauthored called FITAR, the 
Federal Information Technology Acquisition and Reform Act? A 
mouthful.
    Mr. Wilshusen. A little bit, sir, but not completely.
    Mr. Connolly. Well, that bill tries to get at how the 
Federal Government manages IT procurement and acquisition. And 
it addresses, inter alia, how the Federal Government is 
managed. And I think it's based on the conclusion that it's not 
well-managed and it's very inefficient and there are too many 
people with the titles ``CIO.'' And what could go wrong with 
that? The estimate is $20 billion of the $82 billion that we 
spend on IT acquisition every year is at least inefficiently 
used, sometimes downright, unfortunately, wasted.
    Is it GAO's position that we do need some IT updates and 
reforms to, kind of, update on Clinger-Cohen, which was almost 
20 years ago? And in technology 20 years is light years.
    Mr. Wilshusen. Well, sir, that's actually outside my 
particular area. I focus on information security and privacy 
issues. We have others that----
    Mr. Connolly. But aren't----
    Mr. Wilshusen. But I can get that answer to you.
    Mr. Connolly. That would be fine. But isn't information 
security related to how well we're managing our IT assets?
    Mr. Wilshusen. Oh, certainly. And, certainly, there is need 
for improvements in how IT is secured within the Federal 
Government, and that's an implementation issue. And we're also 
on record that FISMA, which is the Federal Information Security 
Management Act that governs information security across the 
government, could also be updated and modified.
    Mr. Connolly. Well, again, I believe this committee and, 
again, the chairman, ranking member, and I have been involved 
in that, as well. But the House has certainly tried to address 
that, and we've found bipartisan common ground on these issues. 
I urge you to look at the bill and see how it applies to your 
particular area.
    Mr. Wilshusen. I will.
    Mr. Connolly. I thank you.
    And, Mr. Chairman, thank you for allowing a shameless plug 
for our legislation one more time.
    Chairman Issa. Well, in closing, it's not shameless, but 
it's a good plug.
    You know, I'll close--because, Ms. Tavenner, we'll probably 
try to do everything without having you back, and I think we're 
on the right track. This is a committee that does legislation 
on a very bipartisan basis, in most cases, and it doesn't get 
reported. And then we have oversight, and perhaps it's not as 
bipartisan, and it often does get reported.
    I do think today's hearing was worthwhile. I believe that, 
hopefully, Mr. Cummings and I both expect that there will be a 
little bit more certainty as to the security that will come out 
of the Website.
    CMS is critical to the American people. Your role has been 
expanded, perhaps, more with the Affordable Care Act than any 
item before.
    And Mr. Cummings often talks about the Federal work force 
and certainly about the good work that's being done. I want to 
close by saying that just because we give you a hard time over 
item after item, just because a number of Members asked about, 
``What about these billions of dollars that were given to 
States for their failed Websites?'', doesn't mean we think it's 
easy. Just the opposite. We know it's hard. We want government 
to oversee itself to the greatest extent possible. And it's the 
reason that we do appreciate and support the GAO, we do 
appreciate and support the inspectors general, and that we try 
to be, if you will, their supporters in order to get the kinds 
of certainty and, when necessary, reforms that are necessary.
    So I want to thank you for being here today. I think this 
was an informative hearing.
    And, with that--Mr. Cummings gives me a ``yes''--we stand 
adjourned.
    [Whereupon, at 1:30 p.m., the committee was adjourned.]


                                APPENDIX

                              ----------                              

               Material Submitted for the Hearing Record
               
[GRAPHIC] [TIFF OMITTED] 

                                 [all]