[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]


 
                    CAN AMERICANS TRUST THE PRIVACY
                         AND SECURITY OF THEIR
                     INFORMATION ON HEALTHCARE.GOV?

=======================================================================

                             JOINT HEARING

                               BEFORE THE

               SUBCOMMITTEE ON RESEARCH AND TECHNOLOGY &
                       SUBCOMMITTEE ON OVERSIGHT

              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED FOURTEENTH CONGRESS

                             FIRST SESSION

                               __________

                           FEBRUARY 12, 2015

                               __________

                            Serial No. 114-6

                               __________
 
 Printed for the use of the Committee on Science, Space, and Technology
 
 
 [GRAPHIC NOT AVAILABLE IN TIFF FORMAT]


       Available via the World Wide Web: http://science.house.gov
       
                                __________
                                
                     
                        U.S. GOVERNMENT PUBLISHING OFFICE
93-884 PDF                   WASHINGTON : 2015                        
     
_____________________________________________________________________________________   
For sale by the Superintendent of Documents, U.S. Government Publishing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, 
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free). 
E-mail, [email protected].  
    
       

              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY

                   HON. LAMAR S. SMITH, Texas, Chair
FRANK D. LUCAS, Oklahoma             EDDIE BERNICE JOHNSON, Texas
F. JAMES SENSENBRENNER, JR.          ZOE LOFGREN, California
DANA ROHRABACHER, California         DANIEL LIPINSKI, Illinois
RANDY NEUGEBAUER, Texas              DONNA F. EDWARDS, Maryland
MICHAEL T. McCAUL                    FREDERICA S. WILSON, Florida
STEVEN M. PALAZZO, Mississippi       SUZANNE BONAMICI, Oregon
MO BROOKS, Alabama                   ERIC SWALWELL, California
RANDY HULTGREN, Illinois             ALAN GRAYSON, Florida
BILL POSEY, Florida                  AMI BERA, California
THOMAS MASSIE, Kentucky              ELIZABETH H. ESTY, Connecticut
JIM BRIDENSTINE, Oklahoma            MARC A. VEASEY, TEXAS
RANDY K. WEBER, Texas                KATHERINE M. CLARK, Massachusetts
BILL JOHNSON, Ohio                   DON S. BEYER, JR., Virginia
JOHN R. MOOLENAAR, Michigan          ED PERLMUTTER, Colorado
STEVE KNIGHT, California             PAUL TONKO, New York
BRIAN BABIN, Texas                   MARK TAKANO, California
BRUCE WESTERMAN, Arkansas            BILL FOSTER, Illinois
BARBARA COMSTOCK, Virginia
DAN NEWHOUSE, Washington
GARY PALMER, Alabama
BARRY LOUDERMILK, Georgia
                                 ------                                

                Subcommittee on Research and Technology

                 HON. BARBARA COMSTOCK, Virginia, Chair
FRANK D. LUCAS, Oklahoma             DANIEL LIPINSKI, Illinois
MICHAEL T. MCCAUL, Texas             ZOE LOFGREN, California
STEVEN M. PALAZZO, Mississippi       SUZANNE BONAMICI, Oregon
RANDY HULTGREN, Illinois             KATHERINE M. CLARK, Massachusetts
JOHN R. MOOLENAAR, Michigan          SUZANNE BONAMICI, Oregon
STEVE KNIGHT, California             DON S. BEYER, JR., Virginia
BRUCE WESTERMAN, Arkansas            EDDIE BERNICE JOHNSON, Texas
GARY PALMER, Alabama
LAMAR S. SMITH, Texas
                                 ------                                

                       Subcommittee on Oversight

                 HON. BARRY LOUDERMILK, Georgia, Chair
F. JAMES SENSENBRENNER, JR.,         DON BEYER, Virginia
    Wisconsin                        ALAN GRAYSON, Florida
BILL POSEY, Florida                  ZOE LOFGREN, California
THOMAS MASSIE, Kentucky              EDDIE BERNICE JOHNSON, Texas
JIM BRIDENSTINE, Oklahoma
BILL JOHNSON, Ohio
LAMAR S. SMITH, Texas
                            C O N T E N T S

                           February 12, 2015

                                                                   Page
Witness List.....................................................     2

Hearing Charter..................................................     3

                           Opening Statements

Statement by Representative Barbara Comstock, Chairwoman, 
  Subcommittee on Research and Technology, Committee on Science, 
  Space, and Technology, U.S. House of Representatives...........     8
    Written Statement............................................     9

Statement by Representative Daniel Lipinski, Ranking Minority 
  Member, Subcommittee on Research and Technology, Committee on 
  Science, Space, and Technology, U.S. House of Representatives..    10
    Written Statement............................................    11

Statement by Representative Barry Loudermilk, Chairman, 
  Subcommittee on Oversight, Committee on Science, Space, and 
  Technology, U.S. House of Representatives......................    12
    Written Statement............................................    14

Statement by Representative Don S. Beyer, Ranking Minority 
  Member, Subcommittee on Oversight, Committee on Science, Space, 
  and Technology, U.S. House of Representatives..................    15
    Written Statement............................................    16

                               Witnesses:

Ms. Michelle De Mooy, Deputy Director, Consumer Privacy, Center 
  for Democracy and Technology
    Oral Statement...............................................    18
    Written Statement............................................    21

Mr. Morgan Wright, Principal, Morgan Wright, LLC
    Oral Statement...............................................    32
    Written Statement............................................    34

Discussion.......................................................    46

             Appendix I: Answers to Post-Hearing Questions

Ms. Michelle De Mooy, Deputy Director, Consumer Privacy, Center 
  for Democracy and Technology...................................    62

Mr. Morgan Wright, Principal, Morgan Wright, LLC.................    65

            Appendix II: Additional Material for the Record

Prepared statement by Representative Elizabeth Esty, Committee on 
  Science, Space, and Technology, U.S. House of Representatives..    68
Letters submitted by Representative Barbara Comstock, Chairwoman, 
  Subcommittee on Research and Technology, Committee on Science, 
  Space, and Technology, U.S. House of Representatives...........    69
Documents submitted by Representative Barbara Comstock, 
  Chairwoman, Subcommittee on Research and Technology, Committee 
  on Science, Space, and Technology, U.S. House of 
  Representatives................................................    83

 
                    CAN AMERICANS TRUST THE PRIVACY


 
                         AND SECURITY OF THEIR


 
                     INFORMATION ON HEALTHCARE.GOV?

                              ----------                              


                      THURSDAY, FEBRUARY 12, 2015

                  House of Representatives,
          Subcommittee on Research and Technology &
                          Subcommittee on Oversight
               Committee on Science, Space, and Technology,
                                                   Washington, D.C.

    The Subcommittees met, pursuant to call, at 2:49 p.m., in 
Room 2318 of the Rayburn House Office Building, Hon. Barbara 
Comstock [Chairwoman of the Subcommittee on Research and 
Technology] presiding.
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT] 

    Chairwoman Comstock. The Subcommittee on Research and 
Technology and Subcommittee on Oversight will come to order.
    Without objection, the Chair is authorized to declare 
recesses of the Subcommittee at any time.
    Good afternoon. Welcome to today's hearing entitled ``Can 
Americans Trust the Privacy and Security of Their Information 
on Healthcare.gov?''
    In front of you are packets containing the written 
testimony, biographies, and truth-in-testimony disclosures for 
today's witnesses.
    I recognize myself for five minutes for an opening 
statement.
    Now, the reason we are having the hearing today is just 
over three weeks ago on January 20, the Associated Press 
reported that as many as 50 data mining companies had access to 
consumers' personal and health information on HealthCare.gov. 
Companies such as Google, Twitter, Facebook, Yahoo, and 
Advertising.com apparently were provided access by CMS, the 
Centers for Medicare and Medicaid Services.
    Upon learning of this development, Chairman Smith sent 
several letters to department heads questioning the practice 
and trying to get more information about what actually had 
happened, but no one has replied with additional information at 
this point.
    As reported by AP, ``When you apply for coverage on 
HealthCare.gov, dozens of data companies may be able to tell 
that you are on the site.'' While the information shared with 
these third party companies does not include, apparently, the 
healthcare consumer's Social Security number, it appears that a 
number of data companies may have had access to consumers' age, 
income, ZIP code, smoking practices, pregnancy status, and even 
computer IP address.
    While some may characterize this as a harmless collection 
of data, it can actually be more revealing. A recent MIT study 
of credit card data revealed that only four pieces of outside 
information about a user, including one's social media 
activity, were sufficient to identify a person in the database 
of a million people.
    The concerns with HealthCare.gov's practice of sharing data 
are twofold. There are privacy implications of feeding 
consumers' personal data--unbeknownst to them--to third party 
vendors, and there are security concerns, because additional 
connections to the website can lead to additional 
vulnerabilities.
    During my first hearing that we had here on the 
Subcommittee I shared that I experienced a credit card breach 
because someone had ordered $7,000 of products and wrongfully 
charged them to my credit card right before Christmas. 
Fortunately, that situation resolved fairly quickly and I 
wasn't liable for those charges, but what if the information 
stolen had been about healthcare? How would that impact 
somebody?
    You know, you can get a new credit card but when that is 
taken or hacked, like whatever happened in that case, but once 
personal health information is compromised, personal family 
information, other things like that, you don't know where that 
may go and it could be out there forever. That is why health 
and health insurance information apparently is reportedly worth 
up to 10 times as much as credit card information on the black 
market.
    The risks posed by HealthCare.gov data-sharing are 
underscored by the fact that a hacker accessed the website last 
July to upload malicious software. Government investigators 
found no evidence that consumers' personal data were taken, but 
HHS said the attack appears to have been the first successful 
intrusion into the website. Many security experts have warned 
of vulnerability to hacking since HealthCare.gov went live more 
than a year ago.
    And just last week, we learned about what might be the 
largest data breach against the country's second biggest health 
insurer, Anthem. In this case, stolen information for 80 
million Anthem members included names, birth dates, Social 
Security numbers and medical IDs. That impacted my constituents 
so I, and I know other colleagues of mine in Virginia, posted 
information about the Anthem situation at my official website 
to inform our constituents, but obviously they had very strong 
concerns when healthcare information may be at risk.
    Today's hearing is a precursor to one at which we will 
invite witnesses from the federal government to answer specific 
questions about the HealthCare.gov contracts with the third 
party companies. I look forward to the insights of both our 
witnesses today as the Committee continues its due diligence 
over this issue.
    And I do want to emphasize that obviously we do want to 
hear from the folks at CMS and the Chairman had reached out to 
them, but we wanted to proceed and hear from other experts such 
as are here today.
    [The prepared statement of Mrs. Comstock follows:]

                   Prepared Statement of Subcommittee
                      Chairwoman Barbara Comstock

    Three weeks ago, on January 20, the Associated Press reported that 
as many as 50 data mining companies had access to consumers' personal 
and health information on HealthCare.gov. Companies such as Google, 
Twitter, Facebook, Yahoo, and Advertising.com apparently were provided 
access by CMS (the Centers for Medicare and Medicaid Services).
    As reported by AP, ``When you apply for coverage on HealthCare.gov, 
dozens of data companies may be able to tell that you are on the 
site.'' While the information shared with these third party companies 
does not include the health care consumer's Social Security number, it 
appears that a number of data companies may have had access to 
consumers' age, income, ZIP code, smoking practices, pregnancy status, 
and even computer IP address.
    While some may characterize this as a harmless collection of data, 
it can actually be much more revealing. A recent MIT study of credit 
card data revealed that only four pieces of outside information about a 
user, including one's social media activity, were sufficient to 
identify a person in the database of a million people.
    The concerns with HealthCare.gov's practice of sharing data with 
companies like Google, Twitter and Facebook are two-fold. There are 
privacy implications of feeding consumers' personal data--unbeknownst 
to them--to third party vendors, and there are security concerns, 
because additional connections to the website can lead to additional 
vulnerabilities.
    We also should consider this news in the context of President 
Obama's announcement that he would bring forward a new online privacy 
and cybersecurity proposal later this month. This proposal was 
described as building on steps previously taken to ``protect American 
companies, consumers, and infrastructure from cyber threats, while 
safeguarding privacy and civil liberties.'' It seems to me that what 
the AP has reported about Americans' data on HealthCare.gov and what 
the President expects of Americans may be in conflict or certainly 
raise legitimate concerns.
    Privacy protections at federal government websites should be the 
gold standard, setting the bar for others to follow. Privacy 
protections at federal websites should at least follow the guidance 
provided through the Federal Information Security Management Act and 
last year's publication of the Cybersecurity Framework by the National 
Institute of Standards and Technology. I am interested in hearing from 
our expert witnesses about privacy protections for users of 
HealthCare.gov.
    During my first hearing as Chairwoman of this Subcommittee, I 
shared that I experienced a credit card breach because someone had 
ordered $7,000 in wrongful charges on my card right before Christmas.
    Fortunately, the situation was resolved and I wasn't liable for 
those charges. But what if information stolen like this had been 
related to health?
    You can get a new credit card when your old one is hacked. But once 
personal health information is compromised, it could be out there 
forever. That is why health and health insurance information is 
reportedly worth up to ten times as much as credit card information on 
the black market.
    The risks posed by HealthCare.gov data sharing are underscored by 
the fact that a hacker accessed the website last July to upload 
malicious software. Government investigators found no evidence that 
consumers' personal data were taken, but HHS said the attack appears to 
have been the first successful intrusion into the website. Many 
security experts have warned of vulnerability to hacking since 
HealthCare.gov went live more than a year ago.
    And just last week, we learned about what might be the largest data 
breach against the country's second biggest health insurer, Anthem. In 
this case, stolen information for 80 million Anthem members included 
names, birth dates, Social Security numbers and medical IDs.
    I posted information about the Anthem situation at my official 
website to inform my constituents.
    Today's hearing is a precursor to one at which we will invite 
witnesses from the federal government to answer specific questions 
about the HealthCare.gov contracts with third party companies. I look 
forward to the insights of both our witnesses today as the Committee 
continues its due diligence over this issue.

    Chairwoman Comstock. Now, before I yield to the Ranking 
Member, I ask unanimous consent that the following documents be 
placed in the record, which include the letters from Chairman 
Smith I referenced earlier.
    Without objection, there we go.
    [The information appears in Appendix II]
    Chairwoman Comstock. Now, I recognize the Ranking Member of 
the Research and Technology Subcommittee, the gentleman from 
Illinois, Mr. Lipinski, for his opening statement.
    Mr. Lipinski. Thank you, Madam Chairwoman.
    I want to welcome the witnesses to this afternoon's 
hearing.
    I am troubled by some of the things we know and some of the 
things we don't know about privacy and security on 
HealthCare.gov. We have a couple of very good witnesses today 
who I look forward to hearing from. Unfortunately, neither of 
these experts had any role in developing HealthCare.gov or 
decisions regarding privacy and security, but I do hope that 
the testimony will help shape some of the questions we should 
be asking those who did have a role in those decisions.
    Given the problematic rollout of HealthCare.gov and 
problems with some state exchange websites such as those with 
the D.C. marketplace, it is clear that the implementation of 
the technical side of the Affordable Care Act merits 
Congressional review and oversight. While HealthCare.gov 
functionality has improved since last year and CMS has been 
responsive to reports of potential security or privacy 
weaknesses as they have been identified, we should continue to 
conduct oversight because the type of personal data that is 
inputted into the site raises the potential for serious 
problems.
    Yet we must also make sure that we are clear on the 
context. We are here today because of recent news reports about 
the use of third-party analytics tools on HealthCare.gov, as 
the Chairwoman mentioned. Data analytics tools can be valuable 
for tracking how websites are being used and optimizing the 
website for the consumer. While I am on the record about my 
reservations about the Affordable Care Act, I also understand 
the motivation of increasing traffic to the HealthCare.gov 
website in an effort to get more people signed up for health 
insurance.
    However, we must hold the government to the highest 
standards for privacy and security. This is especially true for 
a website like HealthCare.gov in which people enter highly 
private and sensitive information. I have concerns based on the 
initial news reports that the high standards may not have been 
applied to privacy on HealthCare.gov. However, the news 
reports, like today's testimony, have provided more questions 
than answers. We must also be careful to distinguish between 
privacy and security and where the true vulnerabilities may be 
for each. In short, we have a responsibility to gather all the 
facts before coming to any conclusions but we need to get those 
facts.
    I understand, Madam Chairwoman, that you are trying to 
schedule a second hearing with Administration officials who 
have direct knowledge of the issues before us today. I think 
such a hearing, in addition to more staff homework, will be 
necessary before we can draw any clear conclusions or proposals 
for moving forward.
    In addition, I would note that privacy is a big issue 
across the internet. Data analytics tools can help improve 
customer experience but their ubiquity and integration into the 
working of so many websites means that Americans concerned 
about their privacy may have little real choice when it comes 
to how they can manage the release of their information. Ms. De 
Mooy addresses some of that in her testimony and I look forward 
to the discussion on the broader issues. While we may hold the 
government to higher standards, it is incumbent upon us to 
declare the steps we can take to ensure that Americans are able 
to safeguard their personal data across the online environment 
as a whole.
    Finally, while this hearing will focus on online data 
privacy, it is critical to recognize that using the internet is 
far from the only way for Americans' private information to be 
lost. In his testimony, Mr. Wright addresses the difficulty of 
anonymizing data and the ease with which individuals can be 
identified from just a few pieces of information about their 
day-to-day activities such as purchases charged through a 
credit card. Given this testimony, this Committee may want to 
be careful about efforts to publicly disclose study data 
related to the health impacts of the air pollutants used in the 
EPA regulation. It is an issue that we debated in the last 
Congress and I think this is something that we need to 
consider, the problems with anonymizing data, as we move 
forward.
    I look forward to hearing from the witnesses today, and 
with that, I yield back.
    [The prepared statement of Mr. Lipinski follows:]

                   Prepared Statement of Subcommittee
                Minority Ranking Member Daniel Lipinski

    Thank you Madam Chairwoman. I want to welcome the witnesses to this 
morning's hearing on privacy and security on the healthcare.gov 
website.
    I am troubled by some of the things we know and some of the things 
we don't know about privacy and security on healthcare.gov. We have 
some very good witnesses today who I look forward to hearing from. 
Unfortunately none of these experts had any role in developing 
healthcare.gov or in the decisions regarding privacy and security. I do 
hope the testimony will help shape some of the questions we should be 
asking those who did have a role in those decisions.
    Given the problematic rollout of healthcare.gov and problems with 
some state exchange websites such as those with the DC marketplace, 
it's clear that the implementation of the technical side of the 
Affordable Care Act merits Congressional review and oversight. While 
healthcare.gov functionality has improved since last year and CMS has 
been responsive to reports of potential security or privacy weaknesses 
as they have been identified, we should continue to conduct oversight 
because the type of personal data that is input into the site raises 
the potential for serious problems.
    Yet we must also make sure that we are clear on the context. We are 
here today because of recent news reports about the use of third-party 
analytics tools on healthcare.gov. Data analytics tools can be valuable 
for tracking how websites are being used and optimizing the website for 
the consumer. While I am on the record about my own reservations about 
the Affordable Care Act, I also understand the motivation of increasing 
traffic to the healthcare.gov website in an effort to get more people 
signed up for health insurance.
    However, we must hold the government to the highest standards for 
privacy and security. This is especially true for a website like 
healthcare.gov in which people enter highly private and sensitive 
information. I have concerns, based on the initial news reports, that 
the highest standards may not have been applied to privacy on 
healthcare.gov. However, the news reports, like today's testimony, 
provide more questions than answers. We must also be careful to 
distinguish between privacy and security, and where the true 
vulnerabilities may be for each. In short, we have a responsibility to 
gather all of the facts before coming to any conclusions. But we need 
those facts.
    I understand, Madam Chairwoman, that you are trying to schedule a 
second hearing with Administration officials who have direct knowledge 
of the issues before us today. I think such a hearing, in addition to 
more staff homework, will be necessary before we can draw any clear 
conclusions or proposals for moving forward.
    In addition, I would note that privacy is a big issue across the 
internet. Data analytics tools can help improve customer experience. 
But their ubiquity and integration into the workings of so many 
websites means that Americans concerned about their privacy may have 
little real choice when it comes to how they can manage the release of 
their information. Ms. De Mooy addresses some of that in her testimony 
and I look forward to a discussion on the broader issues. While we may 
hold the government to a higher standard, it is incumbent upon us to 
consider steps we can take to ensure that Americans are able to 
safeguard their personal data across the online environment as a whole.
    Finally, while this hearing will focus on online data privacy, I 
think it is critical to recognize that using the internet is far from 
the only way for Americans' private information to be lost. In his 
testimony, Mr. Wright addresses the difficulty of anonymizing data and 
the ease with which individuals can be identified through just a few 
pieces of information about their day-to-day activities, such as 
purchases charged to a credit card. Given this testimony, this 
Committee may want to be careful about efforts to publicly disclose 
study data related to the health impacts of air pollutants used in EPA 
regulations.
    I look forward to hearing from the experts before us today and with 
that I yield back.

    Chairwoman Comstock. I now recognize the Chair of the 
Oversight Subcommittee, the gentleman from Georgia, Mr. 
Loudermilk, for an opening statement.
    Mr. Loudermilk. Thank you, Chairwoman Comstock. I 
appreciate the opportunity to be here, and welcome to all of 
our witnesses here today. And I am looking forward to hearing 
from each of you as we gather information on this very 
important issue.
    Just last week, I joined many of my Republican colleagues 
to vote for a full repeal of ObamaCare. This sweeping 
healthcare law has punished countless Americans by doubling 
some health insurance costs for the same or less coverage in 
many cases by no longer being able to use the plans they were 
promised to keep.
    That same healthcare law created HealthCare.gov, a 
federally operated health insurance exchange website to assist 
Americans in signing up for healthcare coverage. As reported by 
the Associated Press on January 20, 2015, dozens of companies, 
including Google, Facebook, and Twitter, had embedded 
connections to HealthCare.gov. Essentially, when a consumer was 
applying for coverage on the website, it is possible that some 
or all of those data companies were able to tell, at the very 
least, when a person was on the site, their age, their income, 
their ZIP code, and whether they smoked or even if they were 
pregnant.
    The Centers for Medicare and Medicaid Services claim that 
this kind of data mining is necessary for data analytics in 
order to improve user experience. If that is the case, however, 
I wonder why the number of embedded connections to the website 
has significantly dropped since the first news story on the 
matter. Did the Administration actually know and approve all 
the companies that were connected to HealthCare.gov?
    One of our witnesses here today comes from the Center for 
Democracy and Technology, which compiles similar analytics in-
house instead of through a slew of different companies. This 
technique decreases privacy and security vulnerabilities by 
giving website access to a minimum number of individuals who 
are able to improve user experience without compromising user 
information.
    Having multiple outside connections to HealthCare.gov means 
more vendors have access to the website, which only means one 
thing: increased vulnerabilities. About one year ago, hackers 
were able to use just one vendor, an HVAC company based in 
Pennsylvania, to obtain credit and debit card information of 
millions of Target customers nationwide.
    Cybercriminals appear to be increasingly interested in the 
personal information collected by U.S. insurers, so much so 
that a recent Reuters article warned that 2015 could be ``the 
Year of the Healthcare Hack.'' So far, it looks as though they 
are right. Just last week, it was disclosed that a database 
containing personal information for about 80 million customers 
of health insurer Anthem, Incorporated, was hacked. It is 
feared that this breach exposed names, birthdays, addresses, 
and Social Security numbers--all information that 
HealthCare.gov website requests of its customers.
    As someone with a background in the IT sector, I find what 
appears to be extensive tracking of Americans' personal 
information extremely disconcerting and unnecessary. Americans 
were first misled when their President told them ``if you like 
your healthcare insurance plan, you can keep it,'' and now it 
seems like they are being misled into thinking that their 
personal information on HealthCare.gov is as secure as it can 
be.
    Considering that HealthCare.gov is one of the largest 
collections of personal information ever assembled, it is 
extremely important that the Administration implements best 
practices to protect Americans' privacy. This Administration 
ultimately has a responsibility to ensure that personal data 
collected is secure, and Congressional oversight will continue 
until the Administration has proved that it is doing all it can 
to protect the American people.
    I look forward to today's hearing where I hope to gain some 
insight from our expert witnesses on the possible reasoning for 
why scores of data mining companies would be embedded on 
HealthCare.gov, as well as the potential consequences of them 
having access to the website. The American people deserve to 
know the truth and are owed some level of transparency from 
this Administration as to how their information on 
HealthCare.gov is being collected, used, and secured.
    Madam Chair, I yield back my time.
    [The prepared statement of Mr. Loudermilk follows:]

            Prepared Statement of Subcommittee on Oversight
                       Chairman Barry Loudermilk

    Thank you, Chairwoman Comstock, and welcome to all of our witnesses 
here today. I am looking forward to hearing from each of you as we 
gather information on this very important issue.
    Just last week, I joined many of my Republican colleagues to vote 
for a full repeal of Obamacare. This sweeping health care law has 
punished countless Americans by doubling some health insurance costs 
for the same or less coverage, or, in many cases, by no longer being 
able to use the plans they were promised to keep.
    That same health care law created HealthCare.gov, a federally-
operated health insurance exchange website to assist Americans in 
signing up for healthcare coverage. As reported by the Associated Press 
on January 20th, 2015, dozens of companies, including Google, Facebook, 
and Twitter had embedded connections to HealthCare.gov. Essentially, 
when a consumer was applying for coverage on the website, it is 
possible that some or all of those data companies were able to tell, at 
the very least, when the person was on the site, their age, their 
income, their ZIP code, and whether they smoked or even if they were 
pregnant.
    The Centers for Medicare and Medicaid Services claims that this 
kind of data mining is necessary for data analytics in order to improve 
user experience. If that is the case, however, I wonder why them number 
of embedded connections to the website has significantly dropped since 
the first news story on this matter. Did the Administration actually 
know and approve all of the companies that were connected to 
HealthCare.gov?
    One of our witnesses here today comes from the Center for Democracy 
and Technology, which compiles similar analytics in-house instead of 
through a slew of different companies. This technique decreases privacy 
and security vulnerabilities by giving website access to a minimum 
number of individuals who are able to improve user experience without 
compromising user information.
    Having multiple outside connections to HealthCare.gov means more 
vendors have access to the website, which only means one thing: 
increased vulnerabilities. About one year ago, hackers were able to use 
just one vendor, an HVAC Company based in Pennsylvania, to obtain the 
credit and debit card information of millions of Target customers 
nation-wide.
    Cybercriminals appear to be increasingly interested in the personal 
information collected by U.S. insurers, so much so that a recent 
Reuters article warned that 2015 could be ``the Year of the Healthcare 
Hack.'' So far, it looks as though they are right. Just last week, it 
was disclosed that a database containing personal information for about 
80 million customers of health insurer Anthem, Inc. was hacked. It is 
feared that this breach exposed names, birthdays, addresses, and Social 
Security numbers--all information that the HealthCare.gov website 
requests of its customers.
    As someone with a background in the IT sector, I find what appears 
to be extensive tracking of Americans' personal information extremely 
disconcerting and unnecessary. Americans were first misled when their 
President told then that, ``if you like your health insurance plan, you 
can keep it,'' and now it seems like they are being misled into 
thinking that their personal information on HealthCare.gov is as secure 
as it can be.
    Considering that HealthCare.gov is one of the largest collections 
of personal information ever assembled, it is extremely important that 
the Administration implements best practices to protect Americans' 
privacy. This Administration ultimately has a responsibility to ensure 
that personal data collected is secure, and Congressional oversight 
will continue until the Administration has proved that it is doing all 
it can to protect the American people.
    I look forward to today's hearing where I hope to gain some insight 
from our expert witnesses on the possible reasoning for why scores of 
data mining companies would be embedded on HealthCare.gov as well as 
the potential consequences of them having access to the website. The 
American people deserve to know the truth and are owed some level of 
transparency from this Administration as to how their information on 
HealthCare.gov is being collected, used, and secured.

    Chairwoman Comstock. Thank you.
    I now recognize the Ranking Member of the Subcommittee on 
Oversight, the gentleman from Virginia and my neighbor, Mr. 
Beyer, for an opening statement.
    Mr. Beyer. Thank you, Madam Chair Comstock, and Chairman 
Loudermilk for holding this hearing today.
    Recent news stories on the sharing of the HealthCare.gov 
visitor data with third parties really does raise very 
legitimate privacy concerns. According to these news reports, 
which we have heard, various personal data was being provided 
at multiple third-party websites and application tools embedded 
in the website. No personally identifiable information was 
provided to third parties but news reports also suggest that 
the information was being provided to third parties without the 
clear consent or any knowing consent of the visitors to the 
site.
    I think there are many questions that the Members on both 
sides of the aisle have about HealthCare.gov implementing the 
use of third-party tools. What restrictions were placed on the 
use of this data by third parties? Was there even a need for 
third-party tools on the website? How do these tools improve 
the function of the website, users' experience? Could some of 
this work have been done in-house?
    Unfortunately, we are not going to be able to get 
definitive answer to those questions today. I understand the 
majority invited government witnesses but they deferred citing 
too short notice to prepare their testimony. My understanding 
is they will be coming again later with the proper set of 
government witnesses to address these issues. In a perfect 
world, we would have had that first but right now I guess we 
have to deal with a lot of speculation and discover the 
government facts later.
    The use of third-party website tools on HealthCare.gov has 
drawn an awful lot of public attention but I hope our 
witnesses, particularly Ms. De Mooy, can help us explore the 
larger privacy issues involved.
    The use of third-party websites is worrisome but it is 
certainly not unusual in the digital online environment. One 
recent study found that the top 100 most popular websites were 
being monitored by more than 1,300 firms deploying these third-
party tools. And while I believe we should definitely explore 
the privacy implications of using the third-party websites, 
this too is only a small part of the privacy pie.
    From the moment we enter the digital domain, whether it is 
turning on our cell phone, logging onto the internet, opening 
up a tablet or other digital device, our data is collected, 
collated, and analyzed by corporations, organizations, 
government agencies, and particularly online advertising 
companies. In the physical world, our identities are often 
measured by details on our driver's licenses, birthday, height, 
gender, weight, but in the digital world, the metrics used to 
measure who we are seem to be based on observing the web pages 
we visit, the purchases we make, the people we personally 
socialize, the news items we read, and the movies we watch. And 
I am concerned about the use of these new metrics that 
constantly track and measure our personal lives online.
    On the security side, we should also realize that any IT 
infrastructure is constantly evolving and improving. It is 
unclear if the use of third-party tools have any direct impact 
yet at least on the security of HealthCare.gov but also need 
this--this needs to be put in perspective. Chairman Loudermilk 
mentioned Anthem's recent breach exposing the accounts of 80 
million customers. That is eight times the number of people who 
have signed up through--for the Affordable Care Act through 
HealthCare.gov.
    Since the launch of HealthCare.gov, an additional 10 
million Americans have healthcare coverage, and I believe that 
extending these healthcare market opportunities to 10 million 
Americans is a tremendously positive event for millions of 
families across the country. So we have very dark conjectures 
around the security of the website which we must address, but 
we also can't--must keep all of this in perspective about the 
millions of families who have been helped.
    I hope this hearing helps us explore these broad privacy 
issues and I look forward to hearing from our witnesses. I 
yield back, Mr. Chair--Madam Chair.
    [The prepared statement of Mr. Beyer follows:]

            Prepared Statement of Subcommittee on Oversight

                  Ranking Minority Member Don S. Beyer

    Thank you Madam Chair Comstock and Chairman Loudermilk for 
holding this hearing today.
    Recent news stories on the sharing of Healthcare.gov 
visitor data with third parties raise legitimate privacy 
concerns. According to these news reports data including an 
individual's income, zip code and pregnancy status were being 
provided to multiple Third-Party Websites and Applications 
(TPWAs) tools embedded on the website. According to these 
stories, no personally identifiable information, known as PII, 
was provided to third parties. However, news reports also 
suggest that the information was being provided to third 
parties without the clear consent of visitors to the site.
    There are many questions I think Members on both sides of 
the aisle have about how Healthcare.gov implemented the use of 
third party tools on the website. What restrictions were placed 
on the use of this data by third parties? Why was there a need 
for multiple third party tools on the website? How did these 
tools help improve the function of the website and the user's 
experience? Could some of this work have been done in-house?
    Unfortunately we will not be able to get definitive answers 
on any of these questions today. Today's hearing will be 
largely speculative in nature since we don't have any 
government witnesses to explain these issues. I understand the 
Majority originally invited government witnesses, but provided 
them with short notice to prepare their testimony. My 
understanding is we may have a follow-up hearing with the 
proper set of witnesses to address these issues later this 
month. In a perfect world, we would have had that hearing 
first. Instead, I fear we will start with lots of speculation 
and will then try to uncover the facts at a later date.
    The use of third party website tools on Healthcare.gov has 
drawn the public's attention to this issue, but I hope our 
witnesses, particularly Ms. De Mooy, can help us explore the 
larger privacy issues regarding the use of these and other 
tools to monitor online activities and their impact on our 
individual privacy. The use of third party websites is 
worrisome, but not unusual in the digital online environment. 
One recent study, for instance, found that the top 100 most 
popular websites were being monitored by more than 1,300 firms 
deploying these third party tools. And while I believe we 
should explore the privacy implications of using third party 
websites this is simply a small slice of the privacy pie. From 
the moment we enter the digital domain, whether it is turning 
on our cell phone, logging onto the Internet or opening up a 
tablet or other digital device our data is collected, collated 
and analyzed by corporations, organizations, government 
agencies and online advertising companies.
    In the physical world our identities are often measured by 
the details on our driver's licenses: our birth date, our 
height, our weight and gender. But in the digital world the 
metrics used to measure who we are seem to be based on 
observing the web pages we visit, the purchases we make, the 
people we ``virtually'' socialize with, the news items we read 
and the movies we watch. I am concerned about the use of these 
new metrics that constantly track and measure our personal 
lives online.
    On the security side, we must realize that any IT 
infrastructure is constantly evolving and improving. It is 
unclear if the use of third party tools had any direct impact 
on the security of Healthcare.gov, but I also believe this 
issue needs to be put in perspective. Just last week, reports 
surfaced that Anthem, Inc., one of the country's largest health 
care providers, announced that they had a data breach exposing 
the accounts of 80 million customers. That breach compromised 
PII that included customer social security numbers and e-mail 
addresses. The size of that breach is eight times the total 
number of people who have signed up for the Affordable Care Act 
through Healthcare.gov.
    Since the launch of Healthcare.gov an additional 10 million 
Americans now have healthcare coverage. I believe that 
extending market opportunities to 10 million Americans to get 
health insurance represents a tremendously positive event for 
millions of families across this country. Despite the dark 
conjectures about security of the website, they have not 
suffered any significant loss of personally identifiable 
information or major security breach to date.
    Privacy protections must be addressed and improved 
throughout the internet, and that includes on Healthcare.gov. I 
hope this hearing helps us explore these broad privacy issues 
and I look forward to hearing from our witnesses.
    With that I yield.

    Chairwoman Comstock. Thank you.
    And if there are Members who wish to submit additional 
opening statements, your statements will be added to the record 
at this point.
    Chairwoman Comstock. Okay. At this time I would like to 
introduce our witnesses. Our first witness is Ms. Michelle De 
Mooy, Deputy Director of the Consumer Privacy Projects at the 
Center for Democracy and Technology, or CDT. Prior to CDT, Ms. 
De Mooy was Senior Associate for National Priorities at 
Consumer Action, a national nonprofit focused on empowering 
underserved and disadvantaged consumers. Ms. De Mooy earned her 
bachelor of arts degree in government from Lehigh University.
    Our second witness today is Mr. Morgan Wright, Principal 
from Morgan Wright, LLC, where he provides advisory and 
consulting services in cybersecurity and identity theft. Mr. 
Wright has provided in-service training to the FBI Computer 
Analysis Response Team, served as Global Industry Solutions 
Manager for Public Safety and Homeland Security as Cisco, and 
as Vice President of Global Public Safety at Alcatel-Lucent. 
Mr. Wright received his bachelor of science from Fort Hays 
State University and an Executive Certificate in Leadership and 
Management from the University of Notre Dame. Perhaps most 
important of all, Mr. Wright is a resident of the 10th District 
of Virginia, but I didn't know you were coming today until they 
reached out. But I am pleased to welcome you today to the 
hearing.
    So pursuant to Committee's rules, all witnesses must be 
sworn in before they testify so I guess we all stand up. And 
please rise and raise your right hand.
    Do you solemnly swear or affirm that the testimony that you 
are about to give will be the truth, the whole truth, and 
nothing but the truth so help you God?
    Let the record reflect that the witnesses answered in the 
affirmative.
    Thank you. You can be seated.
    Okay. And now we will have our five-minute statements from 
the witnesses. And your entire statement, if it is longer, will 
be entered into the record also.
    I now recognize Ms. De Mooy for five minutes to present her 
testimony.

               TESTIMONY OF MS. MICHELLE DE MOOY,

               DEPUTY DIRECTOR, CONSUMER PRIVACY,

              CENTER FOR DEMOCRACY AND TECHNOLOGY

    Ms. De Mooy. Chairwoman Comstock, Chairman Loudermilk, 
Ranking Member Lipinski, Ranking Member Beyer, and Members of 
the Committee, thank you for the opportunity to come here today 
and testify on behalf of the Center for Democracy and 
Technology.
    CDT is a nonpartisan, nonprofit technology policy advocacy 
organization dedicated to protecting civil liberties and human 
rights on the internet, including privacy, free expression, and 
access to information. I currently serve as the Deputy Director 
of CDT's Consumer Privacy Project.
    We welcome the attention the Committee has given to be 
pressing issues of consumer data privacy and security through 
the lens of data sharing on HealthCare.gov. I will review first 
the data-sharing practices on HealthCare.gov, discuss the 
privacy and security concerns that these bring up, and make 
five concrete recommendations for the government to address 
these concerns.
    Several weeks ago, the security firm Catchpoint Systems 
found that user information was being shared with over 50 
entities on HealthCare.gov without user knowledge or 
permission. When citizens visit HealthCare.gov to learn more 
about the programs offered to them under the Affordable Care 
Act, they are asked to give certain pieces of personal 
information order to show which health insurance plans they 
qualify for. After submitting this information, HealthCare.gov 
then surprisingly sent a referral URL to an array of third 
parties that included some of this information that the 
consumers had submitted to the site, including parental status, 
ZIP code, and annual income. This information is used both by 
websites themselves and third parties for website analytics, as 
well as for advertising and marketing purposes, also known as 
retargeting.
    For HealthCare.gov administration officials have said that 
the refer URL was directed to third parties in order to give 
consumers a simpler, more streamlined, and intuitive 
experience, and this is doubtless true. However, the 
government's decision to work with outside vendors allowed 
private companies to access user information without their 
knowledge or consent. It is not clear if HealthCare.gov used 
tracking technologies for retargeting purposes but it appears 
likely to have played a role.
    The use of retargeting in order to increase awareness of 
and enrollment in available health insurance plans would have 
been an understandable goal for the government. It is not, 
however, a free pass for the government to share user 
information and characteristics with an array of third-party 
commercial entities, without permission.
    Sharing of personal information with third parties is a 
privacy concern for several reasons. People who visit 
government websites often do not have a choice. They must visit 
a designated online place in order to access specific 
government products and services. Personal data is valuable. 
When personal information is collected and shared, it is often 
combined with other data to build individual profiles. This 
profile is used to target products and services to you and is 
increasingly also used to create consumer scores that function 
similarly to credit scores. Health information in particular is 
sold for a high premium on underground markets, some experts 
estimate up to $40 to $50 a record, because it is fairly easy 
to monetize for criminals seeking to bill expensive medical 
items to Medicaid, for example, or to commit medical identity 
theft. The theft or use of health information is much harder to 
recognize and stop than the theft of financial data and more 
difficult for victims to seek redress.
    The number of third-party content providers loading code 
into the browsers of visitors on HealthCare.gov poses serious 
security issues. Researchers have pointed to third-party 
content as one of the primary ways for websites to be infected 
with malware. Hackers wishing to compromise the integrity of 
third-party content providers can accomplish a wide range of 
attacks from simply changing the content of the page to 
capturing user information and credentials like passwords.
    There is no evidence that personal information from 
HealthCare.gov has been misused but the number of outside 
parties that can load content and that can see personal 
information about users is troubling.
    Overall, the privacy and security missteps taken by 
HealthCare.gov were avoidable. We recommend that the government 
immediately take the following steps: 1) follow sensible 
guidance available to them and to Office of Management and 
Budget documents on third-party sharing; 2) implement the six 
recommendations to protect user privacy and security on 
HealthCare.gov made in a 2014 report by the Government 
Accountability Office; 3) strengthen HealthCare.gov's privacy 
policy limiting third-party sharing only to which it needs to 
function; 4) implement in-house analytic software that does not 
report user data back to the software maker; 5) honor the 
wishes of consumers that express a preference in their browsers 
not to be tracked.
    Ultimately, Congress can best protect consumer information 
by strengthening legal incentives for companies to better 
safeguard data and by enacting comprehensive data privacy 
legislation to give users more control over how their 
information is collected and used.
    Thank you.
    [The prepared statement of Ms. De Mooy follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]     
        
    Chairwoman Comstock. Thank you.
    I now recognize Mr. Wright for five minutes.

                TESTIMONY OF MR. MORGAN WRIGHT,

                 PRINCIPAL, MORGAN WRIGHT, LLC

    Mr. Wright. And it is a pleasure to be in the 10th 
District. Thank you.
    Chairwoman Comstock, Chairman Loudermilk, Ranking Member 
Lipinski, and Ranking Member Beyer, and Members of the 
Committee, thank you for inviting me again to testify.
    I am Morgan Wright. I am a Principal of Morgan Wright, LLC. 
I provide advisory and consulting services to the private 
sector in the area of cybersecurity, advanced technology 
introduction, strategic planning, and identity theft solutions. 
In addition, I am currently a Senior Fellow for the Center for 
Digital Government. The Center is an advisory institute on 
information technology policies and best practices in state and 
local government.
    Now, I had the honor of testifying before the Committee on 
November 18, 2013, concerning the security of HealthCare.gov at 
that time. Since that time, there has been progress made in 
addressing security and privacy concerns, but yet I find myself 
repeating many of the same observations today that I made 
nearly 15 months ago.
    I was posed three questions from the Committee. As to the 
first question, in the healthcare field, there is an approach 
they call minimum effective dose, which is the lowest dose 
level that you need to get a significant response. If we apply 
that to third-party applications on the site, it is apparent to 
see that out of the 50 previously reported compared to the 11 I 
observed this morning when I checked the site again, that was 
an overdose not needed as evidenced by the action of removing 
39 of them since discovery. In comparison, Whitehouse.gov and 
IRS.gov have only four and two third-party applications running 
respectively. There is no doubt some level of measurement is 
needed but 50 is digital overkill.
    Numerous questions need to be answered by CMS. Are there 
any written agreements governing the collection and use of PII? 
How long has each third party been active on the site? How is 
the use of data governed and audited? Were consumers ever 
notified that their PII was being shared with third parties? 
And these are just a few of the questions.
    As to the second question, the security of the site has 
been a primary point of weakness since before the launch on 
October 1, 2013. In my previous testimony, I highlighted 
several major issues prior to and after launch. Among them was 
the lack of and an ability to conduct an end-to-end security 
test on the production system. The fact that numerous security 
flaws, flaws that are the most basic type, are left to be 
discovered by outside third parties, makes it appear 
HealthCare.gov is crowdsourcing the security and privacy of 
this important site.
    In September of 2014 the GAO issued a report on the site. 
The highlights state in part that weaknesses remain in both the 
processes used for managing information security and privacy, 
as well as the technical implementation of IT security 
controls. Just some of the key findings: one of the key 
findings, CMS has not fully implemented security and privacy 
management controls. It stated that it did not fully implement 
actions required by NIST before collecting and maintaining PII.
    Another finding: CMS did not document key controls in 
system security plans. The findings said without complete 
system security plans, it will be difficult to make a fully 
informed judgment regarding the risk. Look, if an authorized 
security decision-maker cannot be fully informed to understand 
the current risk, it is inconceivable to think that sufficient 
information exists today to enable 50 third-party applications 
to operate on HealthCare.gov and to fully understand the 
associated risk.
    Another finding: CMS did not conduct complete security 
testing. This is an echo of my previous testimony.
    And one of the final ones: control weaknesses continue to 
threaten information and systems supporting HealthCare.gov. And 
in the finding it said CMS--and this is the troubling one--CMS 
did not restrict systems supporting the federally facilitated 
marketplace, FFM, from accessing the internet allowing these 
systems to access the internet may allow for unauthorized users 
to access data from the FFM network, increasing the risk that 
an attacker with access to the FFM could send data to an 
outside system or that malware could communicate with the 
command-and-control server.
    The unmanaged access to outside connectivity is very 
disconcerting. The documented activities of Unit 6139A of the 
Chinese People's Liberation Army and the indictment of five of 
their members relied upon this exact recipe for their 
activities. The introduction of third-party applications 
combined with lack of security, oversight, and control raises 
the specter of current and undetected state-sponsored 
penetration of HealthCare.gov. Significant data breaches have 
been accomplished against far more secure systems.
    And as to question three, as NIST continues its leadership 
role, it has spearheaded the development of the framework for 
improving critical infrastructure cybersecurity. A review of 
the framework provides valuable approaches for CMS to utilize 
in securing the site. The aspect of privacy is so fundamental 
that it was referred to 30 times in the document. One of the 
foundational documents is their Special Publication for 
Information Systems and a key section of the document is 
Appendix J, Privacy Control. It is a relatively new section but 
I believe that there is one control under there, AR-3, privacy 
requirements for contractors and service providers would be 
applicable in this case to the use of third-party applications 
and, if followed, would have allowed--would not have allowed 
for the proliferation of unmanaged data collection.
    So thank you for your time and I look forward to your 
questions.
    [The prepared statement of Mr. Wright follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] 
        
    Chairwoman Comstock. Thank you very much. I thank the 
witnesses for their testimony and insights.
    And now we are going to do questioning for five-minute 
rounds. And I will recognize myself for five minutes.
    Now, given that we first learned about these I guess about 
three weeks ago. If we were--and this is to both of you--if 
HealthCare.gov were employing a lot of the management tools 
that you have outlined here for us, would CMS be able to fairly 
simply tell us what was going on? Is it something that should 
take a long time for them to tell what their system does and 
whether it is safe or not? Because I think from the consumers' 
standpoint, I think we would like to know pretty quickly what 
is going on one way or the other in case it needs to be 
remedied, like you said in the case of if 50 is too many, what 
is okay or what is--shouldn't they know how many are there? So 
I am just trying to get a sense of what should they be doing so 
that they can tell us something fairly basic like this pretty 
quickly.
    Mr. Wright. You bring up--and I appreciate the question. 
You bring up from my prior testimony, I think one of the 
fundamental things that has to be done is a complete end-to-end 
security test of the production system. It is referenced again 
in the GAO report and Ranking Member Lipinski, even to your 
comments, there has been a lot of significant progress made. 
They do need to do marketing but we all want that marketing to 
be safe. You know, HealthCare.gov isn't about R's and D's. It 
is about ones and zeros. It has no allegiance to a party. It 
does what it is told and my concern is that the ones and zeros 
are not being told to do the right things to protect not only 
the privacy but the security. You can't have total visibility 
of a system until you understand end-to-end. And the government 
would not allow a car to be sold on the open market unless it 
went through a complete crash test. You cannot test individual 
components of a car and say it is safe; it has to go through 
the entire gambit. And HealthCare.gov should do the same.
    Ms. De Mooy. Yes, thank you for the question. I think from 
a consumer perspective the way that people would have found out 
about this was through the privacy policy, and we found a lot 
of problems with the HealthCare.gov privacy policy. For 
example, it is very broad and very vague. They don't define 
personally identifiable information and there are guidelines in 
NIST for defining this, but the impetus is on the privacy 
policy to sort of define it for itself so that there aren't any 
loopholes in which data can fall through. So that would have 
been very helpful. That would have been a form of transparency 
that would have allowed people to understand a little bit more.
    Also, the privacy policy kind of deferred to the privacy 
policies of the third parties. So it was--the onus was on the 
consumers or the visitors of the site to find out the policies 
then of the third parties, which is a little disingenuous 
considering that many of people had no idea that these third 
parties were there in the first place.
    Chairwoman Comstock. You know, if one of the reasons why 
they are doing this is they are trying to reach more people to 
say hey, you might be eligible, you know, whatever you are 
doing, aren't there other much safer ways to do that? Like, 
say, you know, if we know a particular ZIP code has a high 
density of uninsured people, you can--I mean would it expose 
anyone's privacy if you were maybe advertising online to 
somebody in their ZIP code or, you know, you were doing 
outreach efforts that are targeted to targeted populations? Is 
there a way--what is the best--you know, sort of best practices 
on doing that in a way that secures people's privacy?
    Ms. De Mooy. Sure. Yes, Chairwoman, I think that the way 
that you put it is exactly right, that there are ways to limit 
it to certain data points so that you are not getting 
unnecessary data in order to do things like retargeting. And 
yes, there are very good reasons why the government, to fulfill 
its mandate, would need to do outreach to try to get more 
enrollment, to try to get people aware of these programs.
    That said, I think the way that my fellow witness here put 
it, it was overkill. There was no need for the leakage that 
occurred. And I think some of this is governed by the contracts 
that existed between the government and the vendors that they 
used, and I think it would be very helpful for when the 
government witnesses are here to find out exactly what the 
terms of those contracts were in terms of data sharing.
    Mr. Wright. Just a quick follow-up, too. You know, I am not 
the marketing expert, but however, I do know is that a great 
marketing product or software implemented poorly is still a 
poorly designed product. And the concern is is that even though 
as these things collected data and information, there is a huge 
issue with the collection of data by several--there are about 
52 major data brokers that, if you want to find out what 
somebody is doing online, their address, we saw this in 
Ferguson, we saw this with ISIS and the compromise of the 
CENTCOM site. They are using personally identifiable 
information to target people.
    Ask Colonel Replogle of Missouri Highway Patrol. His 
information was released by Anonymous and he was specifically 
targeted. So these things--these programs have consequences if 
not managed correctly.
    Chairwoman Comstock. Thank you very much.
    And I now recognize Mr. Lipinski.
    Mr. Lipinski. Thank you, Madam Chairwoman.
    I just want to make sure we try to take a couple steps back 
here because there is a lot we don't know unfortunately. And I 
do look forward to asking questions of the--of the CMS.
    But just so I have a better understanding, I think we 
discussed the use of third-party analytics tools is common in 
both private and governmental websites. What usually is done on 
a private website when they are using a third-party data 
analytic--how is it--how is privacy--and again, we have to talk 
about what the standards are going to be, but what is usually 
done? When I go to a website, how often are there third parties 
looking at the data and what happens with that and how do I 
know that there are third parties? What is going on with that 
and am I--is there any way that I am protected if I am going to 
a private website?
    Ms. De Mooy. Thank you for the question. It is a great 
question and is sort of begins at the layers of communication 
that occur when you go onto the web. Some of them are behind 
the scenes and some of them are more apparent. It is rampant on 
the web certainly with commercial websites but even, you know, 
all sorts of entities. Data sharing is absolutely aggressive. 
So in terms of protections, there are very few. There are 
settings that you can place on browsers that restrict or at 
least broadcast the fact that you would not like to be tracked, 
but those are sort of on the honor system right now, which 
makes it difficult to enforce.
    But just to get back to your technical question, when you 
are online and say, for example, you click on a link or you go 
to a website, it will trigger a message from your browser to 
the intended website's server and that sort of announces your 
arrival to them and it will share basic information about you 
like your IP address, which I think most people know but it is 
sort of like your telephone number is your address on the 
telephone network. Your IP address is your address on the 
internet. And the information exchanged usually during this 
point is just utilitarian, sort of what does your browser 
support so that the website will load correctly?
    When a website wants to customize this and wants to sort of 
remember who you are and remember certain places that you may 
have gone, things you are interested in, which is how we put 
customization, they may enact third parties and that may 
involve dropping a cookie, which is sort of a little recorder 
is the way I like to think of it, onto your computer and that 
will observe where you have been and it will also observe where 
you are going to, so different websites the you are surfing to. 
And if the site wants to do marketing and advertising, they 
will employ third parties and they will have different 
contracts. And this can be up into the hundreds and thousands 
for some sites.
    Mr. Lipinski. And why would there be so many?
    Ms. De Mooy. Well, it is a lucrative business and data 
miners and advertising networks work in real time, and so the 
time that you are online may feel slow to you but to the 
advertising networks, they are grabbing millions and trillions 
of data points every single second. And so that is monetized 
then into serving advertisements. So the more, the merrier.
    Mr. Lipinski. Okay. Because is there any--the question is 
for the--for HealthCare.gov is why were there so many--however 
many it is--and we are still not exactly sure how many--why 
would there be a dozen, two dozen, three dozen----
    Ms. De Mooy. Um-hum.
    Mr. Lipinski. --and why would HealthCare.gov--why would 
they use that many?
    Ms. De Mooy. To me that is inexplicable to be quite honest. 
I can tell you that the rationale would probably include web 
customization, so wanting, as they said, to make the site more 
streamlined, more intuitive for people so that it is easier to 
find access to the information they are looking for. In other 
words, if a consumer comes to a website and they really just 
want to see the plan rates, but the website will serve that to 
them the next time and it sort of remembers that.
    The act of having--especially for a government website--
that many entities in order to do something like retargeting to 
me is inexplicable. I think it is an example--and this is just 
speculation--is an example of when you have multiple different 
contractors working on a project, this was sort of the easiest 
and kind of laziest way to design the site, to do--there are 
ways to do it in-house and there are ways to do it in a more 
privacy-protective manner, but that was not done here.
    Mr. Lipinski. Okay. There are ways to do that in-house, you 
said----
    Ms. De Mooy. Yes.
    Mr. Lipinski. --and your testimony you had talked about 
that. I think I am going to--my time is almost up. I want to 
make sure everyone else has questions.
    If we have time for a second round, I will have more, but I 
yield back.
    Chairwoman Comstock. Thank you.
    I now recognize Mr. Johnson five minutes.
    Mr. Johnson. Thank you, Madam Chairman. And thank you to 
the panelists for being here today.
    I can tell you that as a 30-plus year IT professional both 
in the Department of Defense and in the private sector I remain 
very, very concerned about the inadequacy of security and the 
safeguarding of consumers', hard-working taxpayers' personal 
private information.
    Ms. De Mooy, in May of 2013 the President issued that 
Executive Order to establish an open data policy to make open 
and machine-readable data the new default for government 
information taking really historic steps to make government-
held data more accessible to the public and to entrepreneurs 
while appropriately safeguarding sensitive information and 
rigorously protecting privacy, or so it is stated.
    Let's go back for a second so that I can get this straight. 
Is it mandated in your opinion--it has been mandated by the 
government that Americans need to sign up for healthcare and 
that, for the most part, they will do so on the government-
created website HealthCare.gov, correct?
    Ms. De Mooy. That is correct----
    Mr. Johnson. Okay.
    Ms. De Mooy. --as far as I know.
    Mr. Johnson. Now, once they are on HealthCare.gov, they 
have to give their personal information in order to sign up for 
their healthcare, correct?
    Ms. De Mooy. That is correct, sir.
    Mr. Johnson. Okay. And with what we are learning today, the 
government is then helping companies through this Open Data 
Initiative to collect all of that personal information of the 
American people--on the American people, correct?
    Ms. De Mooy. I am not quite sure what the question was.
    Mr. Johnson. What we have learned from the President's 
Executive Order and all of this open data transformation that 
he has done, we are learning that the government is helping 
these outside companies through their data mining efforts, 
through this Open Data Initiative to collect all of that 
personal information on the American people, correct?
    Ms. De Mooy. My understanding of the Open Data Initiative 
is a bit different. It is more about actionable data that can 
be used to help the public or for the public. It is more about 
transparency. And in this case, transparency would have been 
very helpful. I think that the fact that people have no choice 
when they come is a serious problem that should have held the 
government to a higher standard in terms of protecting their 
privacy and security.
    Mr. Johnson. Well, again going back in my experience and 
something that Mr. Wright said a little earlier, you know, this 
is not rocket science. It is ones and zeros. And if they are 
allowing this Open Data Initiative to collect some information 
that is out there, I mean we have seen how many different 
commercial and government systems have been hacked by the bad 
guys already----
    Ms. De Mooy. Um-hum.
    Mr. Johnson. --and with the security concerns that we have 
got about HealthCare.gov already, do you believe that the 
Administration is yearning for greater openness to make 
government-held data more accessible? Do you believe that has, 
whether intentionally or unintentionally, potentially 
compromised American citizens' privacy on HealthCare.gov?
    Ms. De Mooy. In my opinion, no. I think the government--I 
can't speak for what the intentions were. I don't have any 
direct knowledge of that, but I can say that my understanding 
of the Open Data Initiative was about giving citizens more 
opportunities for actionable data, more transparency in the 
government, and I think in this case it had more to do with the 
function of the site, which was to reach as many people as 
possible, to, you know, do some advertising and marketing to 
get to the populations that would be interested in this. And I 
think they went far beyond what was necessary and far beyond 
what their own government has suggested and prescribed.
    Mr. Johnson. I am running out of time.
    Mr. Wright, same question to you. Do you think that 
allowing this Open Data Initiative, have we potentially 
compromised American citizens' privacy on HealthCare.gov given 
what we already know about the security inadequacies of the 
system?
    Mr. Wright. My opinion would be yes because it is a--
because now what you are mandating is a philosophy and a 
direction to say everything will be shared except for maybe 
some certain things. So people may be interpreting what the 
intent of the Executive Order was and they are attempting to do 
things, but without clear guidance, without clear structure, 
without clear privacy and security, you then get the law of 
unintended consequences, which is the information is used 
improperly and collected improperly and collected in an 
unabated fashion.
    Mr. Johnson. I tend to agree with you, Mr. Wright. I 
respect your opinion, Ms. De Mooy, but as someone who has had 
to provide security to systems--in systems, I personally think 
we have opened the proverbial barn door and the cows are going 
to get out. And with that, I--my time is expired.
    Ms. De Mooy. I am sorry. I just had one additional comment 
to make, sir.
    Just--I think The Open Data Initiative should be coupled 
with the understanding that trust is necessary. The people 
needed to have trust in the systems and particularly when it 
comes to healthcare Americans shouldn't have to choose between 
privacy and health.
    Mr. Johnson. Oh, my goodness, Madam Chair, you are exactly 
right. The people should be able to trust, but the 
Administration has demonstrated clearly that it is not a 
trustworthy system.
    Ms. De Mooy. Right, and perhaps proverbial--
    Mr. Johnson. Security was never designed into the system in 
the first place.
    Chairwoman Comstock. Thank you.
    I now recognize Mr. Beyer for five minutes.
    Mr. Beyer. Thank you, Madam Chair.
    Mr. Wright, I just wanted to clarify one thing. You suggest 
in your testimony that personally identifiable information was 
released from HealthCare.gov and it is true that information 
was released to third parties--we have heard about this, the 50 
people--50 agencies, and there certainly are legitimate 
privacy-related questions, but from everything I know there is 
no PII data that was actually released and certainly no medical 
records.
    Unfortunately, we have seen many, many other instances of 
PII data released on a frequent basis. Last year, eBay revealed 
that hackers had stolen the personal records of 233 million 
users, including usernames, passwords, phone numbers, and 
physical addresses. Anthem, we talked about, with the 80 
million. My wife seems to get a new credit card every 90 days 
because the bank sends her a note saying the credit card has 
been compromised. And these are all unfortunate circumstances 
but they point to larger issues, security and privacy, but I 
don't think they point to specific PII data from 
HealthCare.gov. Your comments?
    Mr. Wright. No, correct. And it is not the implication that 
people's complete PII was released, but when you take pieces of 
information such as your age, your income, whether you are 
pregnant or not or you smoke, the whole point about the ability 
to correlate from large amounts of data sets, your visit at 
HealthCare.gov combined with information from other data 
brokers or other things that you have done has now created the 
opportunity, and actually the end result then is the disclosure 
because you provided the key components that link behavior on 
one side or behavior on the internet now to very specific 
information about you.
    The Chair, when she released her statement, is one of the 
things in my written testimony about MIT. We have now gotten to 
the point on the internet to where there is so much data 
floating out there it takes very small steps to be able to 
create a profile on user to understand where you live, what you 
do, what your interests are. Marketers use it all the time but 
the issue--the difference between the public sector and the 
private sector is if my information gets exposed from eBay, 
there will be 1,000 attorneys filing class-action lawsuits. 
Unfortunately, with the immunity of the federal government, 
citizens don't have the same recourse. So to your point, that 
higher standard needs to be there. So because I don't have that 
recourse I should then have the higher standard to not have to 
worry about that.
    But in total agreement, no specific PII was released, but 
the combination of factors and bringing it all together, it is 
the totality of the circumstances, not an individual action.
    Mr. Beyer. Okay. Thank you very much.
    Ms. De Mooy, is there any reason not to prohibit third-
party vendors and can the website even be evolved to work 
without outside vendors, in-house data analytics? And I wonder, 
too, this is very speculative, but we know how tortured the 
rollout of HealthCare.gov was. How much of this do you think 
was the crashing and burning of CGI and the replacing with 
Accenture and all the firms trying to put Humpty Dumpty back 
together again?
    Ms. De Mooy. Well, I appreciate that analogy. I don't have 
any knowledge about the mechanisms that went on. I can 
speculate that when you hire a lot of outside vendors to work 
on one project, that the communications can fall apart. And I 
think in this case, when I look at the site design, it feels to 
me a bit lazy. And like I said before, the easiest thing is to 
just allow rampant sharing. It is a little more technical and 
in fact more well-designed to limit that sharing.
    Yes, the government could do some of the analytics, 
definitely the analytics in-house. They could create sharing 
buttons. They could have, you know, really ironclad privacy 
policy that includes privacy policies for their third parties 
as opposed to sort of adopting the policies of their third 
parties.
    Mr. Beyer. You had mentioned that we need comprehensive 
data privacy legislation.
    Ms. De Mooy. Correct.
    Mr. Beyer. Is there such model legislation out there?
    Ms. De Mooy. We are waiting on the White House. They had 
said that they would release it 45 days after the President's 
State of the Union address.
    Mr. Beyer. Okay. Great. Thank you.
    I yield back, Madam Chair.
    Mr. Wright. Could I actually add just one comment? Is that 
okay?
    To your point, though, actually I think one of the things 
that would help is really not a technical issue. Back in my day 
doing work inside the justice, the intelligence community, the 
one thing that always had to be there was that executive 
sponsorship, that single point of contact who is what--we used 
to call it the single throat to choke. I think something that 
would vastly help and I think the implementation of Accenture 
over CGI, bringing in people who actually have the ability to 
do that leadership and create that single point of leadership. 
I think that is one of the biggest failures is there was no 
single prime in charge of the entire project. We had a lot of 
stovepipes, which we know from information sharing caused 
problems. I think the biggest thing they could do is really get 
down to that single point of contact, who is the true leader 
that I can go to, push their belly button, and solve all of my 
problems?
    Mr. Beyer. Thank you very much.
    Chairwoman Comstock. Good. I now recognize Mr. Posey for 
five minutes.
    Mr. Posey. Thank you, Madam Chairman.
    I understand the purpose of retargeting. When I look at a 
barbecue or a bathroom vanity or a power tool on a hardware 
store website, I understand, but it doesn't necessarily make me 
comfortable that the same product pops up on the next website 
that I visit. And, you know, I understand the idea that 
companies want to be able to target me in a similar way, but I 
don't understand why HealthCare.gov would feel the need to have 
such similar tactics incorporated as to hardware store or 
Zappos or whatever. I mean it seems like a larger invasion of 
privacy. It seems like a larger invasion of privacy to me. Just 
wondering what your thoughts are, both of you?
    Ms. De Mooy. Thank you for the question. I think the reason 
that I would imagine that the government would give for doing 
retargeting, which, as I said before, it isn't certain--it 
appears to be likely but it is uncertain--the reason they would 
have done that would be to find the people who needed the 
information, so to reach into communities where people who 
don't have health insurance live, go to the sites, and the way 
that they would learn this is by, you know, sharing the 
information and learning where people come from to where they 
first learned about it and link to the site and go and making 
sure that they are advertising at that site.
    One of the problems with that in terms of--from a privacy 
advocacy perspective is that when you reach into communities 
such as those that don't have health insurance, you are often 
reaching into communities that are disadvantaged, and there 
have been studies and surveys that show that people who are 
disadvantaged tend to suffer more privacy harms in terms of 
being labeled. I know the Senate Commerce Committee report came 
out that identified some of these labels has ``urban and barely 
making it,'' ``second city ethnic,'' things that are insulting 
to say the least but also can actually accelerate the cycle of 
poverty by sending things like predatory loans and different 
sorts of interest rates.
    Mr. Wright. I am with you. I confuse privacy and property 
all the time. I think I buy too much online sometimes.
    My aspect on it though is not from a marketing standpoint, 
but any time--if you take a penny and you double it, you know, 
every day for 31 days, you end up with $10,700,000. Every time 
you add another component, every time you add more things that 
have to be done, every time you add another third-party 
application, you just don't arithmetically increase the attack 
vectors; you geometrically increase all the things you have to 
defend against.
    That is why in my opening statement I talked about, you 
know, physician, heal thyself. Use a minimally effective dose. 
Use only the things you need to use to accomplish the mission 
you need to accomplish. It should be a well-defined business 
case that has security and privacy impacts understood before 
you do it, and then when you get things like retargeting and 
stuff, then you have very limited scope specifically addressed. 
But to my--from my perspective, you limit the vulnerabilities 
then to the site and the amount of things that can be exploited 
because one program of itself may be secure, but combined with 
another one and a third one could create a host of unintended 
vulnerabilities you are not aware of because you have never 
tested that combination of programs before.
    Mr. Posey. Thank you. And good answers.
    Is there a requirement or standard or practice for private 
companies to inform visitors about third-party analytics?
    Ms. De Mooy. Yes, sir. Generally, this is done through a 
privacy policy, which I would imagine most of us in here don't 
read. I know that I have been guilty of that. They are very 
lengthy usually in sort of a legalese that is difficult for 
most people to wade through. So we almost always agree if it is 
something that preempts joining a service or a site.
    The government in this case should be held to a higher 
standard than that in my opinion not just because the 
government should be the steward of privacy and security but 
also because, as I said, people don't have a choice. They need 
to go to this website and they should have been given a choice 
about whether to share their data.
    Mr. Posey. Mr. Wright?
    Mr. Wright. And actually just one point, I mean do you know 
how many companies would pay big dollars to guarantee 10 
million visitors to their site? I mean it is--there is a--that 
is, you are right, big money, and there is no choice for them 
to go to that. And so to that point it does need to be a higher 
standard because they don't have a choice. Consumers have a 
choice of going to private websites. They also have the choice 
of litigation. So with Anthem, with eBay, with all the other 
ones, there will be litigation over this but is very difficult 
to sue the federal government.
    Mr. Posey. Very good.
    Thank you, Madam Chair. I yield back.
    Chairwoman Comstock. Thank you.
    I now recognize Ms. Bonamici for five minutes.
    Ms. Bonamici. Thank you very much, Chair Comstock and 
Ranking Member Lipinski.
    This has been a very interesting discussion, and I have to 
say that it really highlights the issues of--two issues of 
importance: access to healthcare and protection of personal 
privacy. I spent part of this morning in a hearing in the 
Education Committee about privacy regarding student records, 
and I said then and will say again that whenever we are talking 
about legislating in the area of technology, it is always a 
challenge to find the right balance because, as we all know, 
the technology advances usually a lot quicker than the 
legislation so we want to make sure that we are finding the 
balance that protects people's privacy but does not inhibit 
valid, useful purposes for technology and advances in 
technology.
    So I really do look forward to hearing from CMS and hearing 
their answers. I know we have had some hearings on this issue 
before but highlighting from them. As Ranking Member Beyer 
said, it would have been best to have them answer questions 
first and then we could follow up on what they said.
    But, you know, I want to say that we all acknowledge that 
there are legitimate problems with HealthCare.gov. Certainly in 
my State of Oregon we did not do a good job at all with that. 
But it is also important to remember that the Affordable Care 
Act is about more than a website; it is about access to 
healthcare for millions of Americans.
    I want to make sure that we don't, in this hearing and 
other hearings in the future, spread any sort of unfounded fear 
or misinformation when really our constituents are looking for 
clarity. So I hope we can help inform them about ways that they 
can protect their privacy online and specifically keep their 
personal information safe.
    And I want to ask you, Ms. De Mooy, and follow up on the 
conversation you were having with Mr. Posey, that you say in 
your testimony that consumers from disadvantaged communities 
face more potential harm such as being profiled in databanks. 
So given the importance of the Affordable Care Act to 
disadvantaged communities that have historically lacked access 
to affordable healthcare, how can HealthCare.gov do a better 
job of serving those consumers while also protecting their 
privacy?
    Ms. De Mooy. Thank you so much for the question.
    The government needs to implement the recommendations that 
I outlined my testimony that include guidance from OMB that 
really lays out exactly how a government should interact with 
third parties. It is very privacy-protective. It is also 
practical in terms of using sharing technologies, using web 
analytics technologies.
    And also my fellow witness brought up and I should mention 
the GAO report in 2014, which appears to have been ignored. I 
am not sure exactly if that is the truth, and it would be 
really good to hear from the Administration on the progress, 
but those are also excellent privacy and security guidances 
that the report gave. So I would say that that would be a good 
start. And it is actually--as opposed to a data breach, it is 
something the government can do right now.
    Ms. Bonamici. Right. And I look forward to following up on 
that when the Administration is here.
    So we talked a lot about the personally identifiable 
information, or the PII, and I am just intrigued by this whole 
discussion because, you know, we--Mr. Posey was talking about 
Zappos and shopping online and how he gets those ads, and not 
to minimize the issue, but say, for example, someone is 
searching for a cure for morning sickness or newborn clothes, 
might someone figure out that perhaps they were pregnant? Or 
what if they shopped for some sort of product to quit smoking? 
My point is that there are a lot of ways that I guess these 
third party companies can figure out those personal--personally 
identifiable issues.
    So just to confirm, has any personally identifiable 
information been gathered through HealthCare.gov--been used 
improperly?
    Mr. Wright. You bring up a very good question. By the way, 
sorry about the Ducks. They beat Florida State, Notre Dame----
    Ms. Bonamici. Oh, I was----
    Mr. Wright. --so I am with you on that.
    Ms. Bonamici. Sorry you reminded me about that, though. I 
am still recovering.
    Mr. Wright. Yeah. The issue is--and I go back to it--it is 
the GAO report. It is what I said November 18, 2013. They have 
never done an end-to-end security test, so until you do, you do 
not know that PII has never been exposed. All you can say is as 
far as we know, which back in my days as a detective always got 
me in trouble with the defense attorneys, as far as I know, so 
you don't know everything, you just know that.
    Ms. Bonamici. Yeah, and I understand that they did an end-
to-end security review in December and they are currently 
reviewing that, so we will make sure that we ask about that 
when----
    Mr. Wright. Well, actually it was a review of controls as 
opposed to an end-to-end full system security test of the 
production system.
    Ms. Bonamici. Thank you. And I do want to try to squeeze a 
question in----
    Mr. Wright. Sure.
    Ms. Bonamici. --in the last couple seconds about human 
factors, research, and I know that--I mean, Ms. De Mooy, you 
talked about how people just tend to click without reading 
policies. They are given to following what is convenient, don't 
understand the fine print or the options, so is there some 
research that we can do or that can be done that will help 
inform consumers so that they can better protect their privacy 
and defend against cybersecurity threats? Is there certain 
kinds of research that we need to help our consumers and 
constituents?
    Ms. De Mooy. Honestly, no. There have quite a few reports 
and studies done and I think almost every aspect of this has 
been looked at and picked apart either by academics or 
technologists or advocates. I think simply entities, government 
entities, commercial entities, need to take privacy 
insecurities very seriously and not view the opportunities to 
get data as, ``I will collect as much as I can and then figure 
out what to do with it later,'' but to have very solid systems 
in place that include privacy risk assessments and privacy 
model threats, which is, you know, something that is a sort of 
a wonky thing to say but is actually very useful, even for the 
average person to consider what data may be getting out there 
about you, to really take the resources that are available 
online to look at your data profile. There are some companies 
that allow that. There are some that give you sort of your 
advertising profile.
    Those resources are helpful but I think really the onus is 
on especially the government to lead the way by having the 
highest standard of privacy and security and then to create 
legal incentives for companies to protect and safeguard user 
data.
    Ms. Bonamici. Thank you so much, and my time has expired. I 
yield back.
    Thank you, Madam Chair.
    Chairwoman Comstock. Okay. And now I recognize Mr. Palmer 
for five minutes.
    Mr. Palmer. Thank you, Madam Chairman.
    Following on that line of questioning, in the Anthem hack, 
the hackers got access to medical IDs and that is a little bit 
more problematic than just finding out what drugs people buy 
and whether or not they exercise, that sort of thing. Would it 
not create some issues in regard to violation of the HIPAA laws 
if a company bought that data and was able to specifically 
target advertising to people, for instance, who are diabetic or 
have certain other conditions? Let me address that Mr. Wright.
    Mr. Wright. I remember the initial creation of HIPAA and 
stuff and I know a lot of that dealt with the encryption. I am 
not an expert on HIPAA so I don't even want to pretend that I 
can answer that completely.
    Mr. Palmer. Well, let me simplify it.
    Mr. Wright. Yes.
    Mr. Palmer. It is against the law to disclose individual 
health--patient information.
    Mr. Wright. Correct.
    Mr. Palmer. The doctor can't do it without your permission.
    Mr. Wright. Correct.
    Mr. Palmer. He can't share it with anyone, and that medical 
ID could potentially get people access to that, that they would 
then sell that information. And it seems to me that if this is 
going on, there ought to be some legal recourse that either the 
government takes or the individuals take against companies who 
buy the data. It needs to go both ways, not just going after 
the hacker but going after the people who are buying the 
information. It is almost like buying fenced goods.
    Mr. Wright. Um-hum.
    Ms. De Mooy. Sir, I think one thing that would help would 
be some transparency into the system, which there is very 
little of it right now. Second, I would just say that HIPAA 
didn't apply in this case. The HealthCare.gov website was not a 
covered entity, which is--HIPAA is, you know, a really 
complicated law. I struggle to understand it. But I know that 
it did not fall under the categories of covered entities.
    Mr. Palmer. Okay. And in that regard, when people are 
basically being forced into a system, does it not make sense 
that the government gives them an opportunity to opt out of 
providing certain data or even allowing their data to be 
shared?
    Mr. Wright. I think--and it should be very clear because 
you are on a government system. I mean it is about transparency 
because that information you are talking about, collection, can 
also be used to target a consumer from an individual standpoint 
of access to their medical records, their financial records. We 
know that these phishing attacks have been successfully done by 
the Chinese, by the Russians, by other folks targeting specific 
people. Unit 6139A specifically targeted people by a collection 
of a lot of information. The more information you can get it, 
it becomes--to a behavioral standpoint, I used to instruct 
behavioral analysis like out at the NSA. I will tell you this, 
that if I can get inside your mind and I can make you believe 
it is a legitimate email because I have enough detail and I can 
convince you, now I can compromise your identity.
    That is the scary part about medical identity because now 
that the payment system will be coming online, the ability to 
commit fraud with somebody's medical identity, as the Chair 
pointed out, 10 times greater than straight identity theft, the 
value of that information.
    Mr. Palmer. All right. In a report from last August--or 
August of last year, which I guess would be last August, HHS 
Inspector General found that the value of the 60 contracts that 
were issued to develop and operate HealthCare.gov totaled $1.7 
billion. At the end of last year Accenture was awarded a five-
year contract to fix HealthCare.gov that totaled $563 million. 
Altogether now we have spent at least $2.3 billion on this 
failed website. How much do you estimate that it is going to 
cost to implement your suggestions to secure it?
    Mr. Wright. My original testimony back in November there is 
a rule of thumb that says if it costs $1 to fix it before it is 
launched, it costs $10 to fix it after it is launched. In an 
observation--
    Mr. Palmer. I think it is going to be a little bit more 
than 10, though, so what----
    Mr. Wright. Well, I mean it is--what I am saying is that if 
a problem--
    Mr. Palmer. It is a tenfold issue?
    Mr. Wright. It is a tenfold issue. So if it costs you $1 
million before launch you could have fixed it, it will cost you 
$10 million after launch. And, you know, my dad was a World War 
II vet. They fought and completed World War II, built numerous 
ships, numerous--thousands, hundreds of thousands of planes and 
tanks with far less--in far less time, and my concern is this 
will keep going because they are not addressing the fundamental 
issues.
    Mr. Palmer. I would like, if you don't mind, for you to get 
back to the Committee and give us a number. And in regard to 
your last point there, I used to work in engineering and we had 
a saying that there is never time to do it right but there is 
always time to do it over. Apparently, that is the case here.
    Thank you, Madam Chairman.
    Chairwoman Comstock. Thank you.
    And I yield to Mr. Tonko for five minutes.
    Mr. Tonko. Thank you, Madam Chair.
    The traffic to the federal government health insurance 
website was up 58 percent compared to the same time last week 
in a week-to-week measurement. That was some 275,000 
individuals that signed up, making it the busiest enrollment 
period of the past two months, and the comparisons from last 
year to this year are ``as an experience, pretty dramatic.'' 
What is your reaction to that?
    Ms. De Mooy. My reaction is that the government should 
immediately implement some of these recommendations to make 
sure that no, as I said, American should have to choose between 
their data sharing and their health.
    Mr. Tonko. Does it indicate any sort of comfort zone with 
the website?
    Ms. De Mooy. I think that is difficult to say. I think 
there is a deadline looming and so the government has tried to 
get as many people who need this service to make sure that it 
is in front of them and available to them. But the fact that 
they have reduced data sharing is good; they just need to do 
more.
    Mr. Tonko. Um-hum. And it seems like over the past 10, 20 
years the expectations of privacy have diminished dramatically. 
Do you think that that is true and what can we do to ensure 
that private personal data stay private?
    Ms. De Mooy. I don't think that is true. It is something 
that I hear quite a bit and I usually hear from people who have 
curtains and people who like to wear pants, for example, sort 
of not clever way but people care about privacy. It is a part 
of autonomy. It is at the heart of it. And when you take that 
autonomy away, in this example, where the government didn't ask 
or get permission, then you are removing a fundamental right 
that we have.
    I think there are steps that--especially in the case of 
HealthCare.gov--that can be taken to ensure more privacy, to 
ensure autonomy and freedom, and so that when people go, they 
have the option of whether they want to share this kind of 
data. Certainly in the health context it is more sensitive.
    I think companies have options. I think privacy is in 
itself an innovation. To speak to your point about making sure 
that we don't limit innovation, you know, the internet, I 
remember a time when the internet was not something that people 
used to buy things from. It was literally too scary to do that 
but privacy became an innovation that allowed that to happen.
    Mr. Tonko. Um-hum.
    Ms. De Mooy. And I think in this atmosphere of data 
sharing, rampant data sharing, that needs to happen once again.
    Mr. Tonko. Ms. De Mooy, one of your recommendations that 
would address the wider problems beyond HealthCare.gov was to 
strengthen legal incentives for companies to better safeguard 
data. Can you speak more directly to this and what it would 
look like and why it is necessary?
    Ms. De Mooy. Sir, I think that is something I could get to 
you in writing. In our written testimony that sort of lays out 
some of our recommendations. And CDT has done quite a bit of 
work on policy in that and I think I would do it a disservice 
to sum it up now. But I can say that in the President's 
comprehensive Consumer Privacy Bill of Rights, what that did 
was create a framework for legislation around the fair 
information practice principles, which have guided privacy and 
security for decades and are sort of renowned as something that 
is flexible and nimble enough to address new technologies. I 
think that would be a start for there to be sort of a baseline 
consumer privacy legislation, something that we have been 
sorely lacking in the United States.
    Mr. Tonko. And are there steps that you believe can be 
taken by private industry or commercial companies, internet 
providers to help limit the amount of personal data these 
enterprises collect?
    Ms. De Mooy. Absolutely. I think data minimization is a 
term that we use to describe when a company has a purpose for 
collecting a data point and that it stops collecting after that 
purpose has been fulfilled. It is a kind of simple concept but 
one that is lost, especially in the rampant data collection 
online. So implementing a real understanding of why you need a 
piece of data and not just collecting every single piece that 
you can get would drastically reduce the risks to people in 
terms of security and privacy.
    Mr. Tonko. Um-hum. Is there a point where that could become 
unrealistic?
    Ms. De Mooy. Data minimization?
    Mr. Tonko. Um-hum.
    Ms. De Mooy. To my understanding, no. I think data systems 
are designed from the beginning, and when they use privacy 
principles such as data minimization, it is very possible. You 
know, there is really no system that I know of the needs every 
single thing about you in order to function. Usually we use 
services and apps for a specific purpose. And so I think that 
is absolutely doable.
    Mr. Tonko. Okay. Thank you very much, and with that, I 
yield back, Madam Chair.
    Chairwoman Comstock. Thank you.
    And thank you to our witnesses.
    I think we are supposed to have some votes sometime in the 
next few minutes here, so I think we will be able to close out 
now. But I really want to thank you and appreciate your 
expertise.
    And while, you know, we might have in the normal order--
certainly we ask the government to give us answers to the 
letters we sent, but I think your expertise and the information 
you provided I think will help illuminate that hearing, and so 
I hope any ideas you might have for us and questions to ask, 
that you will feel free to come forward because I think what 
you have demonstrated through your discussion and the expertise 
the you have is that we don't have to, nor should we have to 
make the choice between privacy and being able to use our 
modern technology.
    I mean we have always been able to match technology with 
technology if we approach it with the right principles. That is 
sort of the new way we have to work on things in the 21st 
century. So I think the very specific things that you pointed 
out here and certainly doing this on the front end is much less 
costly. So I think as we set up practices I think it has been 
helpful for you to--the information you have given us and I 
look forward to our next testimony in light of the information 
you have given us.
    And I do invite you to provide us with any additional 
information that you think might be helpful as we hear from the 
government, as we learn more going along. It would be helpful 
for us for the record.
    And the record for this hearing will remain open two weeks 
for additional comments and written questions from Members. And 
the witnesses are excused and this hearing is adjourned. Thank 
you.
    [Whereupon, at 4:04 p.m., the Subcommittees were 
adjourned.]
                               Appendix I

                              ----------                              


                   Answers to Post-Hearing Questions
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT] 


                   Answers to Post-Hearing Questions
Responses by Ms. Michelle De Mooy
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT] 

Responses by Mr. Morgan Wright
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT] 


                              Appendix II

                              ----------                              


                   Additional Material for the Record
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT] 


            Prepared Statement submitted by Subcommittee on
             Research and Technology Member Elizabeth Esty

    Thank you to the Committee for holding this hearing on privacy and 
security concerns on HealthCare.Gov, and thank you to our witnesses for 
your time. Since so much of our personal business--from paying our 
credit cards to applying for mortgages to choosing health insurance--is 
now conducted online, it is all the more important that we maintain a 
strong cyber infrastructure to protect our security and personal 
privacy.
    In Connecticut, we established our own health insurance 
marketplace, Access Health CT, for residents to shop for and secure 
health insurance. Over half a million Connecticut residents have 
already enrolled in health insurance plans through Access Health CT, 
and in 2014 our state's uninsured rate was cut in half. I am encouraged 
by the level of success we have achieved in Connecticut, and I look 
forward to working with my fellow Committee Members to ensure that 
Americans across the country have access to affordable healthcare 
without compromising their privacy and personal information.
      Letters Submitted by Subcommittee on Research and Technology
                      Chairwoman Barbara Comstock
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT] 


               Documents to Support Letters Submitted by
  Subcommittee on Research and Technology Chairwoman Barbara Comstock
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT] 


                                 [all]