b'<html>\n<title> - CAN AMERICANS TRUST THE PRIVACY AND SECURITY OF THEIR INFORMATION ON HEALTHCARE.GOV?</title>\n<body><pre>[House Hearing, 114 Congress]\n[From the U.S. Government Publishing Office]\n\n\n \n                    CAN AMERICANS TRUST THE PRIVACY\n                         AND SECURITY OF THEIR\n                     INFORMATION ON HEALTHCARE.GOV?\n\n=======================================================================\n\n                             JOINT HEARING\n\n                               BEFORE THE\n\n               SUBCOMMITTEE ON RESEARCH AND TECHNOLOGY &\n                       SUBCOMMITTEE ON OVERSIGHT\n\n              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY\n                        HOUSE OF REPRESENTATIVES\n\n                    ONE HUNDRED FOURTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                           FEBRUARY 12, 2015\n\n                               __________\n\n                            Serial No. 114-6\n\n                               __________\n \n Printed for the use of the Committee on Science, Space, and Technology\n \n \n [GRAPHIC NOT AVAILABLE IN TIFF FORMAT]\n\n\n       Available via the World Wide Web: http://science.house.gov\n       \n                                __________\n                                \n                     \n                        U.S. GOVERNMENT PUBLISHING OFFICE\n93-884 PDF                   WASHINGTON : 2015                        \n     \n_____________________________________________________________________________________   \nFor sale by the Superintendent of Documents, U.S. Government Publishing Office, \nhttp://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, \nU.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free). \nE-mail, <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="0e697e614e6d7b7d7a666b627e206d616320">[email&#160;protected]</a>  \n    \n       \n\n              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY\n\n                   HON. LAMAR S. SMITH, Texas, Chair\nFRANK D. LUCAS, Oklahoma             EDDIE BERNICE JOHNSON, Texas\nF. JAMES SENSENBRENNER, JR.          ZOE LOFGREN, California\nDANA ROHRABACHER, California         DANIEL LIPINSKI, Illinois\nRANDY NEUGEBAUER, Texas              DONNA F. EDWARDS, Maryland\nMICHAEL T. McCAUL                    FREDERICA S. WILSON, Florida\nSTEVEN M. PALAZZO, Mississippi       SUZANNE BONAMICI, Oregon\nMO BROOKS, Alabama                   ERIC SWALWELL, California\nRANDY HULTGREN, Illinois             ALAN GRAYSON, Florida\nBILL POSEY, Florida                  AMI BERA, California\nTHOMAS MASSIE, Kentucky              ELIZABETH H. ESTY, Connecticut\nJIM BRIDENSTINE, Oklahoma            MARC A. VEASEY, TEXAS\nRANDY K. WEBER, Texas                KATHERINE M. CLARK, Massachusetts\nBILL JOHNSON, Ohio                   DON S. BEYER, JR., Virginia\nJOHN R. MOOLENAAR, Michigan          ED PERLMUTTER, Colorado\nSTEVE KNIGHT, California             PAUL TONKO, New York\nBRIAN BABIN, Texas                   MARK TAKANO, California\nBRUCE WESTERMAN, Arkansas            BILL FOSTER, Illinois\nBARBARA COMSTOCK, Virginia\nDAN NEWHOUSE, Washington\nGARY PALMER, Alabama\nBARRY LOUDERMILK, Georgia\n                                 ------                                \n\n                Subcommittee on Research and Technology\n\n                 HON. BARBARA COMSTOCK, Virginia, Chair\nFRANK D. LUCAS, Oklahoma             DANIEL LIPINSKI, Illinois\nMICHAEL T. MCCAUL, Texas             ZOE LOFGREN, California\nSTEVEN M. PALAZZO, Mississippi       SUZANNE BONAMICI, Oregon\nRANDY HULTGREN, Illinois             KATHERINE M. CLARK, Massachusetts\nJOHN R. MOOLENAAR, Michigan          SUZANNE BONAMICI, Oregon\nSTEVE KNIGHT, California             DON S. BEYER, JR., Virginia\nBRUCE WESTERMAN, Arkansas            EDDIE BERNICE JOHNSON, Texas\nGARY PALMER, Alabama\nLAMAR S. SMITH, Texas\n                                 ------                                \n\n                       Subcommittee on Oversight\n\n                 HON. BARRY LOUDERMILK, Georgia, Chair\nF. JAMES SENSENBRENNER, JR.,         DON BEYER, Virginia\n    Wisconsin                        ALAN GRAYSON, Florida\nBILL POSEY, Florida                  ZOE LOFGREN, California\nTHOMAS MASSIE, Kentucky              EDDIE BERNICE JOHNSON, Texas\nJIM BRIDENSTINE, Oklahoma\nBILL JOHNSON, Ohio\nLAMAR S. SMITH, Texas\n                            C O N T E N T S\n\n                           February 12, 2015\n\n                                                                   Page\nWitness List.....................................................     2\n\nHearing Charter..................................................     3\n\n                           Opening Statements\n\nStatement by Representative Barbara Comstock, Chairwoman, \n  Subcommittee on Research and Technology, Committee on Science, \n  Space, and Technology, U.S. House of Representatives...........     8\n    Written Statement............................................     9\n\nStatement by Representative Daniel Lipinski, Ranking Minority \n  Member, Subcommittee on Research and Technology, Committee on \n  Science, Space, and Technology, U.S. House of Representatives..    10\n    Written Statement............................................    11\n\nStatement by Representative Barry Loudermilk, Chairman, \n  Subcommittee on Oversight, Committee on Science, Space, and \n  Technology, U.S. House of Representatives......................    12\n    Written Statement............................................    14\n\nStatement by Representative Don S. Beyer, Ranking Minority \n  Member, Subcommittee on Oversight, Committee on Science, Space, \n  and Technology, U.S. House of Representatives..................    15\n    Written Statement............................................    16\n\n                               Witnesses:\n\nMs. Michelle De Mooy, Deputy Director, Consumer Privacy, Center \n  for Democracy and Technology\n    Oral Statement...............................................    18\n    Written Statement............................................    21\n\nMr. Morgan Wright, Principal, Morgan Wright, LLC\n    Oral Statement...............................................    32\n    Written Statement............................................    34\n\nDiscussion.......................................................    46\n\n             Appendix I: Answers to Post-Hearing Questions\n\nMs. Michelle De Mooy, Deputy Director, Consumer Privacy, Center \n  for Democracy and Technology...................................    62\n\nMr. Morgan Wright, Principal, Morgan Wright, LLC.................    65\n\n            Appendix II: Additional Material for the Record\n\nPrepared statement by Representative Elizabeth Esty, Committee on \n  Science, Space, and Technology, U.S. House of Representatives..    68\nLetters submitted by Representative Barbara Comstock, Chairwoman, \n  Subcommittee on Research and Technology, Committee on Science, \n  Space, and Technology, U.S. House of Representatives...........    69\nDocuments submitted by Representative Barbara Comstock, \n  Chairwoman, Subcommittee on Research and Technology, Committee \n  on Science, Space, and Technology, U.S. House of \n  Representatives................................................    83\n\n \n                    CAN AMERICANS TRUST THE PRIVACY\n\n\n \n                         AND SECURITY OF THEIR\n\n\n \n                     INFORMATION ON HEALTHCARE.GOV?\n\n                              ----------                              \n\n\n                      THURSDAY, FEBRUARY 12, 2015\n\n                  House of Representatives,\n          Subcommittee on Research and Technology &\n                          Subcommittee on Oversight\n               Committee on Science, Space, and Technology,\n                                                   Washington, D.C.\n\n    The Subcommittees met, pursuant to call, at 2:49 p.m., in \nRoom 2318 of the Rayburn House Office Building, Hon. Barbara \nComstock [Chairwoman of the Subcommittee on Research and \nTechnology] presiding.\n[GRAPHICS NOT AVAILABLE IN TIFF FORMAT] \n\n    Chairwoman Comstock. The Subcommittee on Research and \nTechnology and Subcommittee on Oversight will come to order.\n    Without objection, the Chair is authorized to declare \nrecesses of the Subcommittee at any time.\n    Good afternoon. Welcome to today\'s hearing entitled ``Can \nAmericans Trust the Privacy and Security of Their Information \non Healthcare.gov?\'\'\n    In front of you are packets containing the written \ntestimony, biographies, and truth-in-testimony disclosures for \ntoday\'s witnesses.\n    I recognize myself for five minutes for an opening \nstatement.\n    Now, the reason we are having the hearing today is just \nover three weeks ago on January 20, the Associated Press \nreported that as many as 50 data mining companies had access to \nconsumers\' personal and health information on HealthCare.gov. \nCompanies such as Google, Twitter, Facebook, Yahoo, and \nAdvertising.com apparently were provided access by CMS, the \nCenters for Medicare and Medicaid Services.\n    Upon learning of this development, Chairman Smith sent \nseveral letters to department heads questioning the practice \nand trying to get more information about what actually had \nhappened, but no one has replied with additional information at \nthis point.\n    As reported by AP, ``When you apply for coverage on \nHealthCare.gov, dozens of data companies may be able to tell \nthat you are on the site.\'\' While the information shared with \nthese third party companies does not include, apparently, the \nhealthcare consumer\'s Social Security number, it appears that a \nnumber of data companies may have had access to consumers\' age, \nincome, ZIP code, smoking practices, pregnancy status, and even \ncomputer IP address.\n    While some may characterize this as a harmless collection \nof data, it can actually be more revealing. A recent MIT study \nof credit card data revealed that only four pieces of outside \ninformation about a user, including one\'s social media \nactivity, were sufficient to identify a person in the database \nof a million people.\n    The concerns with HealthCare.gov\'s practice of sharing data \nare twofold. There are privacy implications of feeding \nconsumers\' personal data--unbeknownst to them--to third party \nvendors, and there are security concerns, because additional \nconnections to the website can lead to additional \nvulnerabilities.\n    During my first hearing that we had here on the \nSubcommittee I shared that I experienced a credit card breach \nbecause someone had ordered $7,000 of products and wrongfully \ncharged them to my credit card right before Christmas. \nFortunately, that situation resolved fairly quickly and I \nwasn\'t liable for those charges, but what if the information \nstolen had been about healthcare? How would that impact \nsomebody?\n    You know, you can get a new credit card but when that is \ntaken or hacked, like whatever happened in that case, but once \npersonal health information is compromised, personal family \ninformation, other things like that, you don\'t know where that \nmay go and it could be out there forever. That is why health \nand health insurance information apparently is reportedly worth \nup to 10 times as much as credit card information on the black \nmarket.\n    The risks posed by HealthCare.gov data-sharing are \nunderscored by the fact that a hacker accessed the website last \nJuly to upload malicious software. Government investigators \nfound no evidence that consumers\' personal data were taken, but \nHHS said the attack appears to have been the first successful \nintrusion into the website. Many security experts have warned \nof vulnerability to hacking since HealthCare.gov went live more \nthan a year ago.\n    And just last week, we learned about what might be the \nlargest data breach against the country\'s second biggest health \ninsurer, Anthem. In this case, stolen information for 80 \nmillion Anthem members included names, birth dates, Social \nSecurity numbers and medical IDs. That impacted my constituents \nso I, and I know other colleagues of mine in Virginia, posted \ninformation about the Anthem situation at my official website \nto inform our constituents, but obviously they had very strong \nconcerns when healthcare information may be at risk.\n    Today\'s hearing is a precursor to one at which we will \ninvite witnesses from the federal government to answer specific \nquestions about the HealthCare.gov contracts with the third \nparty companies. I look forward to the insights of both our \nwitnesses today as the Committee continues its due diligence \nover this issue.\n    And I do want to emphasize that obviously we do want to \nhear from the folks at CMS and the Chairman had reached out to \nthem, but we wanted to proceed and hear from other experts such \nas are here today.\n    [The prepared statement of Mrs. Comstock follows:]\n\n                   Prepared Statement of Subcommittee\n                      Chairwoman Barbara Comstock\n\n    Three weeks ago, on January 20, the Associated Press reported that \nas many as 50 data mining companies had access to consumers\' personal \nand health information on HealthCare.gov. Companies such as Google, \nTwitter, Facebook, Yahoo, and Advertising.com apparently were provided \naccess by CMS (the Centers for Medicare and Medicaid Services).\n    As reported by AP, ``When you apply for coverage on HealthCare.gov, \ndozens of data companies may be able to tell that you are on the \nsite.\'\' While the information shared with these third party companies \ndoes not include the health care consumer\'s Social Security number, it \nappears that a number of data companies may have had access to \nconsumers\' age, income, ZIP code, smoking practices, pregnancy status, \nand even computer IP address.\n    While some may characterize this as a harmless collection of data, \nit can actually be much more revealing. A recent MIT study of credit \ncard data revealed that only four pieces of outside information about a \nuser, including one\'s social media activity, were sufficient to \nidentify a person in the database of a million people.\n    The concerns with HealthCare.gov\'s practice of sharing data with \ncompanies like Google, Twitter and Facebook are two-fold. There are \nprivacy implications of feeding consumers\' personal data--unbeknownst \nto them--to third party vendors, and there are security concerns, \nbecause additional connections to the website can lead to additional \nvulnerabilities.\n    We also should consider this news in the context of President \nObama\'s announcement that he would bring forward a new online privacy \nand cybersecurity proposal later this month. This proposal was \ndescribed as building on steps previously taken to ``protect American \ncompanies, consumers, and infrastructure from cyber threats, while \nsafeguarding privacy and civil liberties.\'\' It seems to me that what \nthe AP has reported about Americans\' data on HealthCare.gov and what \nthe President expects of Americans may be in conflict or certainly \nraise legitimate concerns.\n    Privacy protections at federal government websites should be the \ngold standard, setting the bar for others to follow. Privacy \nprotections at federal websites should at least follow the guidance \nprovided through the Federal Information Security Management Act and \nlast year\'s publication of the Cybersecurity Framework by the National \nInstitute of Standards and Technology. I am interested in hearing from \nour expert witnesses about privacy protections for users of \nHealthCare.gov.\n    During my first hearing as Chairwoman of this Subcommittee, I \nshared that I experienced a credit card breach because someone had \nordered $7,000 in wrongful charges on my card right before Christmas.\n    Fortunately, the situation was resolved and I wasn\'t liable for \nthose charges. But what if information stolen like this had been \nrelated to health?\n    You can get a new credit card when your old one is hacked. But once \npersonal health information is compromised, it could be out there \nforever. That is why health and health insurance information is \nreportedly worth up to ten times as much as credit card information on \nthe black market.\n    The risks posed by HealthCare.gov data sharing are underscored by \nthe fact that a hacker accessed the website last July to upload \nmalicious software. Government investigators found no evidence that \nconsumers\' personal data were taken, but HHS said the attack appears to \nhave been the first successful intrusion into the website. Many \nsecurity experts have warned of vulnerability to hacking since \nHealthCare.gov went live more than a year ago.\n    And just last week, we learned about what might be the largest data \nbreach against the country\'s second biggest health insurer, Anthem. In \nthis case, stolen information for 80 million Anthem members included \nnames, birth dates, Social Security numbers and medical IDs.\n    I posted information about the Anthem situation at my official \nwebsite to inform my constituents.\n    Today\'s hearing is a precursor to one at which we will invite \nwitnesses from the federal government to answer specific questions \nabout the HealthCare.gov contracts with third party companies. I look \nforward to the insights of both our witnesses today as the Committee \ncontinues its due diligence over this issue.\n\n    Chairwoman Comstock. Now, before I yield to the Ranking \nMember, I ask unanimous consent that the following documents be \nplaced in the record, which include the letters from Chairman \nSmith I referenced earlier.\n    Without objection, there we go.\n    [The information appears in Appendix II]\n    Chairwoman Comstock. Now, I recognize the Ranking Member of \nthe Research and Technology Subcommittee, the gentleman from \nIllinois, Mr. Lipinski, for his opening statement.\n    Mr. Lipinski. Thank you, Madam Chairwoman.\n    I want to welcome the witnesses to this afternoon\'s \nhearing.\n    I am troubled by some of the things we know and some of the \nthings we don\'t know about privacy and security on \nHealthCare.gov. We have a couple of very good witnesses today \nwho I look forward to hearing from. Unfortunately, neither of \nthese experts had any role in developing HealthCare.gov or \ndecisions regarding privacy and security, but I do hope that \nthe testimony will help shape some of the questions we should \nbe asking those who did have a role in those decisions.\n    Given the problematic rollout of HealthCare.gov and \nproblems with some state exchange websites such as those with \nthe D.C. marketplace, it is clear that the implementation of \nthe technical side of the Affordable Care Act merits \nCongressional review and oversight. While HealthCare.gov \nfunctionality has improved since last year and CMS has been \nresponsive to reports of potential security or privacy \nweaknesses as they have been identified, we should continue to \nconduct oversight because the type of personal data that is \ninputted into the site raises the potential for serious \nproblems.\n    Yet we must also make sure that we are clear on the \ncontext. We are here today because of recent news reports about \nthe use of third-party analytics tools on HealthCare.gov, as \nthe Chairwoman mentioned. Data analytics tools can be valuable \nfor tracking how websites are being used and optimizing the \nwebsite for the consumer. While I am on the record about my \nreservations about the Affordable Care Act, I also understand \nthe motivation of increasing traffic to the HealthCare.gov \nwebsite in an effort to get more people signed up for health \ninsurance.\n    However, we must hold the government to the highest \nstandards for privacy and security. This is especially true for \na website like HealthCare.gov in which people enter highly \nprivate and sensitive information. I have concerns based on the \ninitial news reports that the high standards may not have been \napplied to privacy on HealthCare.gov. However, the news \nreports, like today\'s testimony, have provided more questions \nthan answers. We must also be careful to distinguish between \nprivacy and security and where the true vulnerabilities may be \nfor each. In short, we have a responsibility to gather all the \nfacts before coming to any conclusions but we need to get those \nfacts.\n    I understand, Madam Chairwoman, that you are trying to \nschedule a second hearing with Administration officials who \nhave direct knowledge of the issues before us today. I think \nsuch a hearing, in addition to more staff homework, will be \nnecessary before we can draw any clear conclusions or proposals \nfor moving forward.\n    In addition, I would note that privacy is a big issue \nacross the internet. Data analytics tools can help improve \ncustomer experience but their ubiquity and integration into the \nworking of so many websites means that Americans concerned \nabout their privacy may have little real choice when it comes \nto how they can manage the release of their information. Ms. De \nMooy addresses some of that in her testimony and I look forward \nto the discussion on the broader issues. While we may hold the \ngovernment to higher standards, it is incumbent upon us to \ndeclare the steps we can take to ensure that Americans are able \nto safeguard their personal data across the online environment \nas a whole.\n    Finally, while this hearing will focus on online data \nprivacy, it is critical to recognize that using the internet is \nfar from the only way for Americans\' private information to be \nlost. In his testimony, Mr. Wright addresses the difficulty of \nanonymizing data and the ease with which individuals can be \nidentified from just a few pieces of information about their \nday-to-day activities such as purchases charged through a \ncredit card. Given this testimony, this Committee may want to \nbe careful about efforts to publicly disclose study data \nrelated to the health impacts of the air pollutants used in the \nEPA regulation. It is an issue that we debated in the last \nCongress and I think this is something that we need to \nconsider, the problems with anonymizing data, as we move \nforward.\n    I look forward to hearing from the witnesses today, and \nwith that, I yield back.\n    [The prepared statement of Mr. Lipinski follows:]\n\n                   Prepared Statement of Subcommittee\n                Minority Ranking Member Daniel Lipinski\n\n    Thank you Madam Chairwoman. I want to welcome the witnesses to this \nmorning\'s hearing on privacy and security on the healthcare.gov \nwebsite.\n    I am troubled by some of the things we know and some of the things \nwe don\'t know about privacy and security on healthcare.gov. We have \nsome very good witnesses today who I look forward to hearing from. \nUnfortunately none of these experts had any role in developing \nhealthcare.gov or in the decisions regarding privacy and security. I do \nhope the testimony will help shape some of the questions we should be \nasking those who did have a role in those decisions.\n    Given the problematic rollout of healthcare.gov and problems with \nsome state exchange websites such as those with the DC marketplace, \nit\'s clear that the implementation of the technical side of the \nAffordable Care Act merits Congressional review and oversight. While \nhealthcare.gov functionality has improved since last year and CMS has \nbeen responsive to reports of potential security or privacy weaknesses \nas they have been identified, we should continue to conduct oversight \nbecause the type of personal data that is input into the site raises \nthe potential for serious problems.\n    Yet we must also make sure that we are clear on the context. We are \nhere today because of recent news reports about the use of third-party \nanalytics tools on healthcare.gov. Data analytics tools can be valuable \nfor tracking how websites are being used and optimizing the website for \nthe consumer. While I am on the record about my own reservations about \nthe Affordable Care Act, I also understand the motivation of increasing \ntraffic to the healthcare.gov website in an effort to get more people \nsigned up for health insurance.\n    However, we must hold the government to the highest standards for \nprivacy and security. This is especially true for a website like \nhealthcare.gov in which people enter highly private and sensitive \ninformation. I have concerns, based on the initial news reports, that \nthe highest standards may not have been applied to privacy on \nhealthcare.gov. However, the news reports, like today\'s testimony, \nprovide more questions than answers. We must also be careful to \ndistinguish between privacy and security, and where the true \nvulnerabilities may be for each. In short, we have a responsibility to \ngather all of the facts before coming to any conclusions. But we need \nthose facts.\n    I understand, Madam Chairwoman, that you are trying to schedule a \nsecond hearing with Administration officials who have direct knowledge \nof the issues before us today. I think such a hearing, in addition to \nmore staff homework, will be necessary before we can draw any clear \nconclusions or proposals for moving forward.\n    In addition, I would note that privacy is a big issue across the \ninternet. Data analytics tools can help improve customer experience. \nBut their ubiquity and integration into the workings of so many \nwebsites means that Americans concerned about their privacy may have \nlittle real choice when it comes to how they can manage the release of \ntheir information. Ms. De Mooy addresses some of that in her testimony \nand I look forward to a discussion on the broader issues. While we may \nhold the government to a higher standard, it is incumbent upon us to \nconsider steps we can take to ensure that Americans are able to \nsafeguard their personal data across the online environment as a whole.\n    Finally, while this hearing will focus on online data privacy, I \nthink it is critical to recognize that using the internet is far from \nthe only way for Americans\' private information to be lost. In his \ntestimony, Mr. Wright addresses the difficulty of anonymizing data and \nthe ease with which individuals can be identified through just a few \npieces of information about their day-to-day activities, such as \npurchases charged to a credit card. Given this testimony, this \nCommittee may want to be careful about efforts to publicly disclose \nstudy data related to the health impacts of air pollutants used in EPA \nregulations.\n    I look forward to hearing from the experts before us today and with \nthat I yield back.\n\n    Chairwoman Comstock. I now recognize the Chair of the \nOversight Subcommittee, the gentleman from Georgia, Mr. \nLoudermilk, for an opening statement.\n    Mr. Loudermilk. Thank you, Chairwoman Comstock. I \nappreciate the opportunity to be here, and welcome to all of \nour witnesses here today. And I am looking forward to hearing \nfrom each of you as we gather information on this very \nimportant issue.\n    Just last week, I joined many of my Republican colleagues \nto vote for a full repeal of ObamaCare. This sweeping \nhealthcare law has punished countless Americans by doubling \nsome health insurance costs for the same or less coverage in \nmany cases by no longer being able to use the plans they were \npromised to keep.\n    That same healthcare law created HealthCare.gov, a \nfederally operated health insurance exchange website to assist \nAmericans in signing up for healthcare coverage. As reported by \nthe Associated Press on January 20, 2015, dozens of companies, \nincluding Google, Facebook, and Twitter, had embedded \nconnections to HealthCare.gov. Essentially, when a consumer was \napplying for coverage on the website, it is possible that some \nor all of those data companies were able to tell, at the very \nleast, when a person was on the site, their age, their income, \ntheir ZIP code, and whether they smoked or even if they were \npregnant.\n    The Centers for Medicare and Medicaid Services claim that \nthis kind of data mining is necessary for data analytics in \norder to improve user experience. If that is the case, however, \nI wonder why the number of embedded connections to the website \nhas significantly dropped since the first news story on the \nmatter. Did the Administration actually know and approve all \nthe companies that were connected to HealthCare.gov?\n    One of our witnesses here today comes from the Center for \nDemocracy and Technology, which compiles similar analytics in-\nhouse instead of through a slew of different companies. This \ntechnique decreases privacy and security vulnerabilities by \ngiving website access to a minimum number of individuals who \nare able to improve user experience without compromising user \ninformation.\n    Having multiple outside connections to HealthCare.gov means \nmore vendors have access to the website, which only means one \nthing: increased vulnerabilities. About one year ago, hackers \nwere able to use just one vendor, an HVAC company based in \nPennsylvania, to obtain credit and debit card information of \nmillions of Target customers nationwide.\n    Cybercriminals appear to be increasingly interested in the \npersonal information collected by U.S. insurers, so much so \nthat a recent Reuters article warned that 2015 could be ``the \nYear of the Healthcare Hack.\'\' So far, it looks as though they \nare right. Just last week, it was disclosed that a database \ncontaining personal information for about 80 million customers \nof health insurer Anthem, Incorporated, was hacked. It is \nfeared that this breach exposed names, birthdays, addresses, \nand Social Security numbers--all information that \nHealthCare.gov website requests of its customers.\n    As someone with a background in the IT sector, I find what \nappears to be extensive tracking of Americans\' personal \ninformation extremely disconcerting and unnecessary. Americans \nwere first misled when their President told them ``if you like \nyour healthcare insurance plan, you can keep it,\'\' and now it \nseems like they are being misled into thinking that their \npersonal information on HealthCare.gov is as secure as it can \nbe.\n    Considering that HealthCare.gov is one of the largest \ncollections of personal information ever assembled, it is \nextremely important that the Administration implements best \npractices to protect Americans\' privacy. This Administration \nultimately has a responsibility to ensure that personal data \ncollected is secure, and Congressional oversight will continue \nuntil the Administration has proved that it is doing all it can \nto protect the American people.\n    I look forward to today\'s hearing where I hope to gain some \ninsight from our expert witnesses on the possible reasoning for \nwhy scores of data mining companies would be embedded on \nHealthCare.gov, as well as the potential consequences of them \nhaving access to the website. The American people deserve to \nknow the truth and are owed some level of transparency from \nthis Administration as to how their information on \nHealthCare.gov is being collected, used, and secured.\n    Madam Chair, I yield back my time.\n    [The prepared statement of Mr. Loudermilk follows:]\n\n            Prepared Statement of Subcommittee on Oversight\n                       Chairman Barry Loudermilk\n\n    Thank you, Chairwoman Comstock, and welcome to all of our witnesses \nhere today. I am looking forward to hearing from each of you as we \ngather information on this very important issue.\n    Just last week, I joined many of my Republican colleagues to vote \nfor a full repeal of Obamacare. This sweeping health care law has \npunished countless Americans by doubling some health insurance costs \nfor the same or less coverage, or, in many cases, by no longer being \nable to use the plans they were promised to keep.\n    That same health care law created HealthCare.gov, a federally-\noperated health insurance exchange website to assist Americans in \nsigning up for healthcare coverage. As reported by the Associated Press \non January 20th, 2015, dozens of companies, including Google, Facebook, \nand Twitter had embedded connections to HealthCare.gov. Essentially, \nwhen a consumer was applying for coverage on the website, it is \npossible that some or all of those data companies were able to tell, at \nthe very least, when the person was on the site, their age, their \nincome, their ZIP code, and whether they smoked or even if they were \npregnant.\n    The Centers for Medicare and Medicaid Services claims that this \nkind of data mining is necessary for data analytics in order to improve \nuser experience. If that is the case, however, I wonder why them number \nof embedded connections to the website has significantly dropped since \nthe first news story on this matter. Did the Administration actually \nknow and approve all of the companies that were connected to \nHealthCare.gov?\n    One of our witnesses here today comes from the Center for Democracy \nand Technology, which compiles similar analytics in-house instead of \nthrough a slew of different companies. This technique decreases privacy \nand security vulnerabilities by giving website access to a minimum \nnumber of individuals who are able to improve user experience without \ncompromising user information.\n    Having multiple outside connections to HealthCare.gov means more \nvendors have access to the website, which only means one thing: \nincreased vulnerabilities. About one year ago, hackers were able to use \njust one vendor, an HVAC Company based in Pennsylvania, to obtain the \ncredit and debit card information of millions of Target customers \nnation-wide.\n    Cybercriminals appear to be increasingly interested in the personal \ninformation collected by U.S. insurers, so much so that a recent \nReuters article warned that 2015 could be ``the Year of the Healthcare \nHack.\'\' So far, it looks as though they are right. Just last week, it \nwas disclosed that a database containing personal information for about \n80 million customers of health insurer Anthem, Inc. was hacked. It is \nfeared that this breach exposed names, birthdays, addresses, and Social \nSecurity numbers--all information that the HealthCare.gov website \nrequests of its customers.\n    As someone with a background in the IT sector, I find what appears \nto be extensive tracking of Americans\' personal information extremely \ndisconcerting and unnecessary. Americans were first misled when their \nPresident told then that, ``if you like your health insurance plan, you \ncan keep it,\'\' and now it seems like they are being misled into \nthinking that their personal information on HealthCare.gov is as secure \nas it can be.\n    Considering that HealthCare.gov is one of the largest collections \nof personal information ever assembled, it is extremely important that \nthe Administration implements best practices to protect Americans\' \nprivacy. This Administration ultimately has a responsibility to ensure \nthat personal data collected is secure, and Congressional oversight \nwill continue until the Administration has proved that it is doing all \nit can to protect the American people.\n    I look forward to today\'s hearing where I hope to gain some insight \nfrom our expert witnesses on the possible reasoning for why scores of \ndata mining companies would be embedded on HealthCare.gov as well as \nthe potential consequences of them having access to the website. The \nAmerican people deserve to know the truth and are owed some level of \ntransparency from this Administration as to how their information on \nHealthCare.gov is being collected, used, and secured.\n\n    Chairwoman Comstock. Thank you.\n    I now recognize the Ranking Member of the Subcommittee on \nOversight, the gentleman from Virginia and my neighbor, Mr. \nBeyer, for an opening statement.\n    Mr. Beyer. Thank you, Madam Chair Comstock, and Chairman \nLoudermilk for holding this hearing today.\n    Recent news stories on the sharing of the HealthCare.gov \nvisitor data with third parties really does raise very \nlegitimate privacy concerns. According to these news reports, \nwhich we have heard, various personal data was being provided \nat multiple third-party websites and application tools embedded \nin the website. No personally identifiable information was \nprovided to third parties but news reports also suggest that \nthe information was being provided to third parties without the \nclear consent or any knowing consent of the visitors to the \nsite.\n    I think there are many questions that the Members on both \nsides of the aisle have about HealthCare.gov implementing the \nuse of third-party tools. What restrictions were placed on the \nuse of this data by third parties? Was there even a need for \nthird-party tools on the website? How do these tools improve \nthe function of the website, users\' experience? Could some of \nthis work have been done in-house?\n    Unfortunately, we are not going to be able to get \ndefinitive answer to those questions today. I understand the \nmajority invited government witnesses but they deferred citing \ntoo short notice to prepare their testimony. My understanding \nis they will be coming again later with the proper set of \ngovernment witnesses to address these issues. In a perfect \nworld, we would have had that first but right now I guess we \nhave to deal with a lot of speculation and discover the \ngovernment facts later.\n    The use of third-party website tools on HealthCare.gov has \ndrawn an awful lot of public attention but I hope our \nwitnesses, particularly Ms. De Mooy, can help us explore the \nlarger privacy issues involved.\n    The use of third-party websites is worrisome but it is \ncertainly not unusual in the digital online environment. One \nrecent study found that the top 100 most popular websites were \nbeing monitored by more than 1,300 firms deploying these third-\nparty tools. And while I believe we should definitely explore \nthe privacy implications of using the third-party websites, \nthis too is only a small part of the privacy pie.\n    From the moment we enter the digital domain, whether it is \nturning on our cell phone, logging onto the internet, opening \nup a tablet or other digital device, our data is collected, \ncollated, and analyzed by corporations, organizations, \ngovernment agencies, and particularly online advertising \ncompanies. In the physical world, our identities are often \nmeasured by details on our driver\'s licenses, birthday, height, \ngender, weight, but in the digital world, the metrics used to \nmeasure who we are seem to be based on observing the web pages \nwe visit, the purchases we make, the people we personally \nsocialize, the news items we read, and the movies we watch. And \nI am concerned about the use of these new metrics that \nconstantly track and measure our personal lives online.\n    On the security side, we should also realize that any IT \ninfrastructure is constantly evolving and improving. It is \nunclear if the use of third-party tools have any direct impact \nyet at least on the security of HealthCare.gov but also need \nthis--this needs to be put in perspective. Chairman Loudermilk \nmentioned Anthem\'s recent breach exposing the accounts of 80 \nmillion customers. That is eight times the number of people who \nhave signed up through--for the Affordable Care Act through \nHealthCare.gov.\n    Since the launch of HealthCare.gov, an additional 10 \nmillion Americans have healthcare coverage, and I believe that \nextending these healthcare market opportunities to 10 million \nAmericans is a tremendously positive event for millions of \nfamilies across the country. So we have very dark conjectures \naround the security of the website which we must address, but \nwe also can\'t--must keep all of this in perspective about the \nmillions of families who have been helped.\n    I hope this hearing helps us explore these broad privacy \nissues and I look forward to hearing from our witnesses. I \nyield back, Mr. Chair--Madam Chair.\n    [The prepared statement of Mr. Beyer follows:]\n\n            Prepared Statement of Subcommittee on Oversight\n\n                  Ranking Minority Member Don S. Beyer\n\n    Thank you Madam Chair Comstock and Chairman Loudermilk for \nholding this hearing today.\n    Recent news stories on the sharing of Healthcare.gov \nvisitor data with third parties raise legitimate privacy \nconcerns. According to these news reports data including an \nindividual\'s income, zip code and pregnancy status were being \nprovided to multiple Third-Party Websites and Applications \n(TPWAs) tools embedded on the website. According to these \nstories, no personally identifiable information, known as PII, \nwas provided to third parties. However, news reports also \nsuggest that the information was being provided to third \nparties without the clear consent of visitors to the site.\n    There are many questions I think Members on both sides of \nthe aisle have about how Healthcare.gov implemented the use of \nthird party tools on the website. What restrictions were placed \non the use of this data by third parties? Why was there a need \nfor multiple third party tools on the website? How did these \ntools help improve the function of the website and the user\'s \nexperience? Could some of this work have been done in-house?\n    Unfortunately we will not be able to get definitive answers \non any of these questions today. Today\'s hearing will be \nlargely speculative in nature since we don\'t have any \ngovernment witnesses to explain these issues. I understand the \nMajority originally invited government witnesses, but provided \nthem with short notice to prepare their testimony. My \nunderstanding is we may have a follow-up hearing with the \nproper set of witnesses to address these issues later this \nmonth. In a perfect world, we would have had that hearing \nfirst. Instead, I fear we will start with lots of speculation \nand will then try to uncover the facts at a later date.\n    The use of third party website tools on Healthcare.gov has \ndrawn the public\'s attention to this issue, but I hope our \nwitnesses, particularly Ms. De Mooy, can help us explore the \nlarger privacy issues regarding the use of these and other \ntools to monitor online activities and their impact on our \nindividual privacy. The use of third party websites is \nworrisome, but not unusual in the digital online environment. \nOne recent study, for instance, found that the top 100 most \npopular websites were being monitored by more than 1,300 firms \ndeploying these third party tools. And while I believe we \nshould explore the privacy implications of using third party \nwebsites this is simply a small slice of the privacy pie. From \nthe moment we enter the digital domain, whether it is turning \non our cell phone, logging onto the Internet or opening up a \ntablet or other digital device our data is collected, collated \nand analyzed by corporations, organizations, government \nagencies and online advertising companies.\n    In the physical world our identities are often measured by \nthe details on our driver\'s licenses: our birth date, our \nheight, our weight and gender. But in the digital world the \nmetrics used to measure who we are seem to be based on \nobserving the web pages we visit, the purchases we make, the \npeople we ``virtually\'\' socialize with, the news items we read \nand the movies we watch. I am concerned about the use of these \nnew metrics that constantly track and measure our personal \nlives online.\n    On the security side, we must realize that any IT \ninfrastructure is constantly evolving and improving. It is \nunclear if the use of third party tools had any direct impact \non the security of Healthcare.gov, but I also believe this \nissue needs to be put in perspective. Just last week, reports \nsurfaced that Anthem, Inc., one of the country\'s largest health \ncare providers, announced that they had a data breach exposing \nthe accounts of 80 million customers. That breach compromised \nPII that included customer social security numbers and e-mail \naddresses. The size of that breach is eight times the total \nnumber of people who have signed up for the Affordable Care Act \nthrough Healthcare.gov.\n    Since the launch of Healthcare.gov an additional 10 million \nAmericans now have healthcare coverage. I believe that \nextending market opportunities to 10 million Americans to get \nhealth insurance represents a tremendously positive event for \nmillions of families across this country. Despite the dark \nconjectures about security of the website, they have not \nsuffered any significant loss of personally identifiable \ninformation or major security breach to date.\n    Privacy protections must be addressed and improved \nthroughout the internet, and that includes on Healthcare.gov. I \nhope this hearing helps us explore these broad privacy issues \nand I look forward to hearing from our witnesses.\n    With that I yield.\n\n    Chairwoman Comstock. Thank you.\n    And if there are Members who wish to submit additional \nopening statements, your statements will be added to the record \nat this point.\n    Chairwoman Comstock. Okay. At this time I would like to \nintroduce our witnesses. Our first witness is Ms. Michelle De \nMooy, Deputy Director of the Consumer Privacy Projects at the \nCenter for Democracy and Technology, or CDT. Prior to CDT, Ms. \nDe Mooy was Senior Associate for National Priorities at \nConsumer Action, a national nonprofit focused on empowering \nunderserved and disadvantaged consumers. Ms. De Mooy earned her \nbachelor of arts degree in government from Lehigh University.\n    Our second witness today is Mr. Morgan Wright, Principal \nfrom Morgan Wright, LLC, where he provides advisory and \nconsulting services in cybersecurity and identity theft. Mr. \nWright has provided in-service training to the FBI Computer \nAnalysis Response Team, served as Global Industry Solutions \nManager for Public Safety and Homeland Security as Cisco, and \nas Vice President of Global Public Safety at Alcatel-Lucent. \nMr. Wright received his bachelor of science from Fort Hays \nState University and an Executive Certificate in Leadership and \nManagement from the University of Notre Dame. Perhaps most \nimportant of all, Mr. Wright is a resident of the 10th District \nof Virginia, but I didn\'t know you were coming today until they \nreached out. But I am pleased to welcome you today to the \nhearing.\n    So pursuant to Committee\'s rules, all witnesses must be \nsworn in before they testify so I guess we all stand up. And \nplease rise and raise your right hand.\n    Do you solemnly swear or affirm that the testimony that you \nare about to give will be the truth, the whole truth, and \nnothing but the truth so help you God?\n    Let the record reflect that the witnesses answered in the \naffirmative.\n    Thank you. You can be seated.\n    Okay. And now we will have our five-minute statements from \nthe witnesses. And your entire statement, if it is longer, will \nbe entered into the record also.\n    I now recognize Ms. De Mooy for five minutes to present her \ntestimony.\n\n               TESTIMONY OF MS. MICHELLE DE MOOY,\n\n               DEPUTY DIRECTOR, CONSUMER PRIVACY,\n\n              CENTER FOR DEMOCRACY AND TECHNOLOGY\n\n    Ms. De Mooy. Chairwoman Comstock, Chairman Loudermilk, \nRanking Member Lipinski, Ranking Member Beyer, and Members of \nthe Committee, thank you for the opportunity to come here today \nand testify on behalf of the Center for Democracy and \nTechnology.\n    CDT is a nonpartisan, nonprofit technology policy advocacy \norganization dedicated to protecting civil liberties and human \nrights on the internet, including privacy, free expression, and \naccess to information. I currently serve as the Deputy Director \nof CDT\'s Consumer Privacy Project.\n    We welcome the attention the Committee has given to be \npressing issues of consumer data privacy and security through \nthe lens of data sharing on HealthCare.gov. I will review first \nthe data-sharing practices on HealthCare.gov, discuss the \nprivacy and security concerns that these bring up, and make \nfive concrete recommendations for the government to address \nthese concerns.\n    Several weeks ago, the security firm Catchpoint Systems \nfound that user information was being shared with over 50 \nentities on HealthCare.gov without user knowledge or \npermission. When citizens visit HealthCare.gov to learn more \nabout the programs offered to them under the Affordable Care \nAct, they are asked to give certain pieces of personal \ninformation order to show which health insurance plans they \nqualify for. After submitting this information, HealthCare.gov \nthen surprisingly sent a referral URL to an array of third \nparties that included some of this information that the \nconsumers had submitted to the site, including parental status, \nZIP code, and annual income. This information is used both by \nwebsites themselves and third parties for website analytics, as \nwell as for advertising and marketing purposes, also known as \nretargeting.\n    For HealthCare.gov administration officials have said that \nthe refer URL was directed to third parties in order to give \nconsumers a simpler, more streamlined, and intuitive \nexperience, and this is doubtless true. However, the \ngovernment\'s decision to work with outside vendors allowed \nprivate companies to access user information without their \nknowledge or consent. It is not clear if HealthCare.gov used \ntracking technologies for retargeting purposes but it appears \nlikely to have played a role.\n    The use of retargeting in order to increase awareness of \nand enrollment in available health insurance plans would have \nbeen an understandable goal for the government. It is not, \nhowever, a free pass for the government to share user \ninformation and characteristics with an array of third-party \ncommercial entities, without permission.\n    Sharing of personal information with third parties is a \nprivacy concern for several reasons. People who visit \ngovernment websites often do not have a choice. They must visit \na designated online place in order to access specific \ngovernment products and services. Personal data is valuable. \nWhen personal information is collected and shared, it is often \ncombined with other data to build individual profiles. This \nprofile is used to target products and services to you and is \nincreasingly also used to create consumer scores that function \nsimilarly to credit scores. Health information in particular is \nsold for a high premium on underground markets, some experts \nestimate up to $40 to $50 a record, because it is fairly easy \nto monetize for criminals seeking to bill expensive medical \nitems to Medicaid, for example, or to commit medical identity \ntheft. The theft or use of health information is much harder to \nrecognize and stop than the theft of financial data and more \ndifficult for victims to seek redress.\n    The number of third-party content providers loading code \ninto the browsers of visitors on HealthCare.gov poses serious \nsecurity issues. Researchers have pointed to third-party \ncontent as one of the primary ways for websites to be infected \nwith malware. Hackers wishing to compromise the integrity of \nthird-party content providers can accomplish a wide range of \nattacks from simply changing the content of the page to \ncapturing user information and credentials like passwords.\n    There is no evidence that personal information from \nHealthCare.gov has been misused but the number of outside \nparties that can load content and that can see personal \ninformation about users is troubling.\n    Overall, the privacy and security missteps taken by \nHealthCare.gov were avoidable. We recommend that the government \nimmediately take the following steps: 1) follow sensible \nguidance available to them and to Office of Management and \nBudget documents on third-party sharing; 2) implement the six \nrecommendations to protect user privacy and security on \nHealthCare.gov made in a 2014 report by the Government \nAccountability Office; 3) strengthen HealthCare.gov\'s privacy \npolicy limiting third-party sharing only to which it needs to \nfunction; 4) implement in-house analytic software that does not \nreport user data back to the software maker; 5) honor the \nwishes of consumers that express a preference in their browsers \nnot to be tracked.\n    Ultimately, Congress can best protect consumer information \nby strengthening legal incentives for companies to better \nsafeguard data and by enacting comprehensive data privacy \nlegislation to give users more control over how their \ninformation is collected and used.\n    Thank you.\n    [The prepared statement of Ms. De Mooy follows:]\n    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]     \n        \n    Chairwoman Comstock. Thank you.\n    I now recognize Mr. Wright for five minutes.\n\n                TESTIMONY OF MR. MORGAN WRIGHT,\n\n                 PRINCIPAL, MORGAN WRIGHT, LLC\n\n    Mr. Wright. And it is a pleasure to be in the 10th \nDistrict. Thank you.\n    Chairwoman Comstock, Chairman Loudermilk, Ranking Member \nLipinski, and Ranking Member Beyer, and Members of the \nCommittee, thank you for inviting me again to testify.\n    I am Morgan Wright. I am a Principal of Morgan Wright, LLC. \nI provide advisory and consulting services to the private \nsector in the area of cybersecurity, advanced technology \nintroduction, strategic planning, and identity theft solutions. \nIn addition, I am currently a Senior Fellow for the Center for \nDigital Government. The Center is an advisory institute on \ninformation technology policies and best practices in state and \nlocal government.\n    Now, I had the honor of testifying before the Committee on \nNovember 18, 2013, concerning the security of HealthCare.gov at \nthat time. Since that time, there has been progress made in \naddressing security and privacy concerns, but yet I find myself \nrepeating many of the same observations today that I made \nnearly 15 months ago.\n    I was posed three questions from the Committee. As to the \nfirst question, in the healthcare field, there is an approach \nthey call minimum effective dose, which is the lowest dose \nlevel that you need to get a significant response. If we apply \nthat to third-party applications on the site, it is apparent to \nsee that out of the 50 previously reported compared to the 11 I \nobserved this morning when I checked the site again, that was \nan overdose not needed as evidenced by the action of removing \n39 of them since discovery. In comparison, Whitehouse.gov and \nIRS.gov have only four and two third-party applications running \nrespectively. There is no doubt some level of measurement is \nneeded but 50 is digital overkill.\n    Numerous questions need to be answered by CMS. Are there \nany written agreements governing the collection and use of PII? \nHow long has each third party been active on the site? How is \nthe use of data governed and audited? Were consumers ever \nnotified that their PII was being shared with third parties? \nAnd these are just a few of the questions.\n    As to the second question, the security of the site has \nbeen a primary point of weakness since before the launch on \nOctober 1, 2013. In my previous testimony, I highlighted \nseveral major issues prior to and after launch. Among them was \nthe lack of and an ability to conduct an end-to-end security \ntest on the production system. The fact that numerous security \nflaws, flaws that are the most basic type, are left to be \ndiscovered by outside third parties, makes it appear \nHealthCare.gov is crowdsourcing the security and privacy of \nthis important site.\n    In September of 2014 the GAO issued a report on the site. \nThe highlights state in part that weaknesses remain in both the \nprocesses used for managing information security and privacy, \nas well as the technical implementation of IT security \ncontrols. Just some of the key findings: one of the key \nfindings, CMS has not fully implemented security and privacy \nmanagement controls. It stated that it did not fully implement \nactions required by NIST before collecting and maintaining PII.\n    Another finding: CMS did not document key controls in \nsystem security plans. The findings said without complete \nsystem security plans, it will be difficult to make a fully \ninformed judgment regarding the risk. Look, if an authorized \nsecurity decision-maker cannot be fully informed to understand \nthe current risk, it is inconceivable to think that sufficient \ninformation exists today to enable 50 third-party applications \nto operate on HealthCare.gov and to fully understand the \nassociated risk.\n    Another finding: CMS did not conduct complete security \ntesting. This is an echo of my previous testimony.\n    And one of the final ones: control weaknesses continue to \nthreaten information and systems supporting HealthCare.gov. And \nin the finding it said CMS--and this is the troubling one--CMS \ndid not restrict systems supporting the federally facilitated \nmarketplace, FFM, from accessing the internet allowing these \nsystems to access the internet may allow for unauthorized users \nto access data from the FFM network, increasing the risk that \nan attacker with access to the FFM could send data to an \noutside system or that malware could communicate with the \ncommand-and-control server.\n    The unmanaged access to outside connectivity is very \ndisconcerting. The documented activities of Unit 6139A of the \nChinese People\'s Liberation Army and the indictment of five of \ntheir members relied upon this exact recipe for their \nactivities. The introduction of third-party applications \ncombined with lack of security, oversight, and control raises \nthe specter of current and undetected state-sponsored \npenetration of HealthCare.gov. Significant data breaches have \nbeen accomplished against far more secure systems.\n    And as to question three, as NIST continues its leadership \nrole, it has spearheaded the development of the framework for \nimproving critical infrastructure cybersecurity. A review of \nthe framework provides valuable approaches for CMS to utilize \nin securing the site. The aspect of privacy is so fundamental \nthat it was referred to 30 times in the document. One of the \nfoundational documents is their Special Publication for \nInformation Systems and a key section of the document is \nAppendix J, Privacy Control. It is a relatively new section but \nI believe that there is one control under there, AR-3, privacy \nrequirements for contractors and service providers would be \napplicable in this case to the use of third-party applications \nand, if followed, would have allowed--would not have allowed \nfor the proliferation of unmanaged data collection.\n    So thank you for your time and I look forward to your \nquestions.\n    [The prepared statement of Mr. Wright follows:]\n    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] \n        \n    Chairwoman Comstock. Thank you very much. I thank the \nwitnesses for their testimony and insights.\n    And now we are going to do questioning for five-minute \nrounds. And I will recognize myself for five minutes.\n    Now, given that we first learned about these I guess about \nthree weeks ago. If we were--and this is to both of you--if \nHealthCare.gov were employing a lot of the management tools \nthat you have outlined here for us, would CMS be able to fairly \nsimply tell us what was going on? Is it something that should \ntake a long time for them to tell what their system does and \nwhether it is safe or not? Because I think from the consumers\' \nstandpoint, I think we would like to know pretty quickly what \nis going on one way or the other in case it needs to be \nremedied, like you said in the case of if 50 is too many, what \nis okay or what is--shouldn\'t they know how many are there? So \nI am just trying to get a sense of what should they be doing so \nthat they can tell us something fairly basic like this pretty \nquickly.\n    Mr. Wright. You bring up--and I appreciate the question. \nYou bring up from my prior testimony, I think one of the \nfundamental things that has to be done is a complete end-to-end \nsecurity test of the production system. It is referenced again \nin the GAO report and Ranking Member Lipinski, even to your \ncomments, there has been a lot of significant progress made. \nThey do need to do marketing but we all want that marketing to \nbe safe. You know, HealthCare.gov isn\'t about R\'s and D\'s. It \nis about ones and zeros. It has no allegiance to a party. It \ndoes what it is told and my concern is that the ones and zeros \nare not being told to do the right things to protect not only \nthe privacy but the security. You can\'t have total visibility \nof a system until you understand end-to-end. And the government \nwould not allow a car to be sold on the open market unless it \nwent through a complete crash test. You cannot test individual \ncomponents of a car and say it is safe; it has to go through \nthe entire gambit. And HealthCare.gov should do the same.\n    Ms. De Mooy. Yes, thank you for the question. I think from \na consumer perspective the way that people would have found out \nabout this was through the privacy policy, and we found a lot \nof problems with the HealthCare.gov privacy policy. For \nexample, it is very broad and very vague. They don\'t define \npersonally identifiable information and there are guidelines in \nNIST for defining this, but the impetus is on the privacy \npolicy to sort of define it for itself so that there aren\'t any \nloopholes in which data can fall through. So that would have \nbeen very helpful. That would have been a form of transparency \nthat would have allowed people to understand a little bit more.\n    Also, the privacy policy kind of deferred to the privacy \npolicies of the third parties. So it was--the onus was on the \nconsumers or the visitors of the site to find out the policies \nthen of the third parties, which is a little disingenuous \nconsidering that many of people had no idea that these third \nparties were there in the first place.\n    Chairwoman Comstock. You know, if one of the reasons why \nthey are doing this is they are trying to reach more people to \nsay hey, you might be eligible, you know, whatever you are \ndoing, aren\'t there other much safer ways to do that? Like, \nsay, you know, if we know a particular ZIP code has a high \ndensity of uninsured people, you can--I mean would it expose \nanyone\'s privacy if you were maybe advertising online to \nsomebody in their ZIP code or, you know, you were doing \noutreach efforts that are targeted to targeted populations? Is \nthere a way--what is the best--you know, sort of best practices \non doing that in a way that secures people\'s privacy?\n    Ms. De Mooy. Sure. Yes, Chairwoman, I think that the way \nthat you put it is exactly right, that there are ways to limit \nit to certain data points so that you are not getting \nunnecessary data in order to do things like retargeting. And \nyes, there are very good reasons why the government, to fulfill \nits mandate, would need to do outreach to try to get more \nenrollment, to try to get people aware of these programs.\n    That said, I think the way that my fellow witness here put \nit, it was overkill. There was no need for the leakage that \noccurred. And I think some of this is governed by the contracts \nthat existed between the government and the vendors that they \nused, and I think it would be very helpful for when the \ngovernment witnesses are here to find out exactly what the \nterms of those contracts were in terms of data sharing.\n    Mr. Wright. Just a quick follow-up, too. You know, I am not \nthe marketing expert, but however, I do know is that a great \nmarketing product or software implemented poorly is still a \npoorly designed product. And the concern is is that even though \nas these things collected data and information, there is a huge \nissue with the collection of data by several--there are about \n52 major data brokers that, if you want to find out what \nsomebody is doing online, their address, we saw this in \nFerguson, we saw this with ISIS and the compromise of the \nCENTCOM site. They are using personally identifiable \ninformation to target people.\n    Ask Colonel Replogle of Missouri Highway Patrol. His \ninformation was released by Anonymous and he was specifically \ntargeted. So these things--these programs have consequences if \nnot managed correctly.\n    Chairwoman Comstock. Thank you very much.\n    And I now recognize Mr. Lipinski.\n    Mr. Lipinski. Thank you, Madam Chairwoman.\n    I just want to make sure we try to take a couple steps back \nhere because there is a lot we don\'t know unfortunately. And I \ndo look forward to asking questions of the--of the CMS.\n    But just so I have a better understanding, I think we \ndiscussed the use of third-party analytics tools is common in \nboth private and governmental websites. What usually is done on \na private website when they are using a third-party data \nanalytic--how is it--how is privacy--and again, we have to talk \nabout what the standards are going to be, but what is usually \ndone? When I go to a website, how often are there third parties \nlooking at the data and what happens with that and how do I \nknow that there are third parties? What is going on with that \nand am I--is there any way that I am protected if I am going to \na private website?\n    Ms. De Mooy. Thank you for the question. It is a great \nquestion and is sort of begins at the layers of communication \nthat occur when you go onto the web. Some of them are behind \nthe scenes and some of them are more apparent. It is rampant on \nthe web certainly with commercial websites but even, you know, \nall sorts of entities. Data sharing is absolutely aggressive. \nSo in terms of protections, there are very few. There are \nsettings that you can place on browsers that restrict or at \nleast broadcast the fact that you would not like to be tracked, \nbut those are sort of on the honor system right now, which \nmakes it difficult to enforce.\n    But just to get back to your technical question, when you \nare online and say, for example, you click on a link or you go \nto a website, it will trigger a message from your browser to \nthe intended website\'s server and that sort of announces your \narrival to them and it will share basic information about you \nlike your IP address, which I think most people know but it is \nsort of like your telephone number is your address on the \ntelephone network. Your IP address is your address on the \ninternet. And the information exchanged usually during this \npoint is just utilitarian, sort of what does your browser \nsupport so that the website will load correctly?\n    When a website wants to customize this and wants to sort of \nremember who you are and remember certain places that you may \nhave gone, things you are interested in, which is how we put \ncustomization, they may enact third parties and that may \ninvolve dropping a cookie, which is sort of a little recorder \nis the way I like to think of it, onto your computer and that \nwill observe where you have been and it will also observe where \nyou are going to, so different websites the you are surfing to. \nAnd if the site wants to do marketing and advertising, they \nwill employ third parties and they will have different \ncontracts. And this can be up into the hundreds and thousands \nfor some sites.\n    Mr. Lipinski. And why would there be so many?\n    Ms. De Mooy. Well, it is a lucrative business and data \nminers and advertising networks work in real time, and so the \ntime that you are online may feel slow to you but to the \nadvertising networks, they are grabbing millions and trillions \nof data points every single second. And so that is monetized \nthen into serving advertisements. So the more, the merrier.\n    Mr. Lipinski. Okay. Because is there any--the question is \nfor the--for HealthCare.gov is why were there so many--however \nmany it is--and we are still not exactly sure how many--why \nwould there be a dozen, two dozen, three dozen----\n    Ms. De Mooy. Um-hum.\n    Mr. Lipinski. --and why would HealthCare.gov--why would \nthey use that many?\n    Ms. De Mooy. To me that is inexplicable to be quite honest. \nI can tell you that the rationale would probably include web \ncustomization, so wanting, as they said, to make the site more \nstreamlined, more intuitive for people so that it is easier to \nfind access to the information they are looking for. In other \nwords, if a consumer comes to a website and they really just \nwant to see the plan rates, but the website will serve that to \nthem the next time and it sort of remembers that.\n    The act of having--especially for a government website--\nthat many entities in order to do something like retargeting to \nme is inexplicable. I think it is an example--and this is just \nspeculation--is an example of when you have multiple different \ncontractors working on a project, this was sort of the easiest \nand kind of laziest way to design the site, to do--there are \nways to do it in-house and there are ways to do it in a more \nprivacy-protective manner, but that was not done here.\n    Mr. Lipinski. Okay. There are ways to do that in-house, you \nsaid----\n    Ms. De Mooy. Yes.\n    Mr. Lipinski. --and your testimony you had talked about \nthat. I think I am going to--my time is almost up. I want to \nmake sure everyone else has questions.\n    If we have time for a second round, I will have more, but I \nyield back.\n    Chairwoman Comstock. Thank you.\n    I now recognize Mr. Johnson five minutes.\n    Mr. Johnson. Thank you, Madam Chairman. And thank you to \nthe panelists for being here today.\n    I can tell you that as a 30-plus year IT professional both \nin the Department of Defense and in the private sector I remain \nvery, very concerned about the inadequacy of security and the \nsafeguarding of consumers\', hard-working taxpayers\' personal \nprivate information.\n    Ms. De Mooy, in May of 2013 the President issued that \nExecutive Order to establish an open data policy to make open \nand machine-readable data the new default for government \ninformation taking really historic steps to make government-\nheld data more accessible to the public and to entrepreneurs \nwhile appropriately safeguarding sensitive information and \nrigorously protecting privacy, or so it is stated.\n    Let\'s go back for a second so that I can get this straight. \nIs it mandated in your opinion--it has been mandated by the \ngovernment that Americans need to sign up for healthcare and \nthat, for the most part, they will do so on the government-\ncreated website HealthCare.gov, correct?\n    Ms. De Mooy. That is correct----\n    Mr. Johnson. Okay.\n    Ms. De Mooy. --as far as I know.\n    Mr. Johnson. Now, once they are on HealthCare.gov, they \nhave to give their personal information in order to sign up for \ntheir healthcare, correct?\n    Ms. De Mooy. That is correct, sir.\n    Mr. Johnson. Okay. And with what we are learning today, the \ngovernment is then helping companies through this Open Data \nInitiative to collect all of that personal information of the \nAmerican people--on the American people, correct?\n    Ms. De Mooy. I am not quite sure what the question was.\n    Mr. Johnson. What we have learned from the President\'s \nExecutive Order and all of this open data transformation that \nhe has done, we are learning that the government is helping \nthese outside companies through their data mining efforts, \nthrough this Open Data Initiative to collect all of that \npersonal information on the American people, correct?\n    Ms. De Mooy. My understanding of the Open Data Initiative \nis a bit different. It is more about actionable data that can \nbe used to help the public or for the public. It is more about \ntransparency. And in this case, transparency would have been \nvery helpful. I think that the fact that people have no choice \nwhen they come is a serious problem that should have held the \ngovernment to a higher standard in terms of protecting their \nprivacy and security.\n    Mr. Johnson. Well, again going back in my experience and \nsomething that Mr. Wright said a little earlier, you know, this \nis not rocket science. It is ones and zeros. And if they are \nallowing this Open Data Initiative to collect some information \nthat is out there, I mean we have seen how many different \ncommercial and government systems have been hacked by the bad \nguys already----\n    Ms. De Mooy. Um-hum.\n    Mr. Johnson. --and with the security concerns that we have \ngot about HealthCare.gov already, do you believe that the \nAdministration is yearning for greater openness to make \ngovernment-held data more accessible? Do you believe that has, \nwhether intentionally or unintentionally, potentially \ncompromised American citizens\' privacy on HealthCare.gov?\n    Ms. De Mooy. In my opinion, no. I think the government--I \ncan\'t speak for what the intentions were. I don\'t have any \ndirect knowledge of that, but I can say that my understanding \nof the Open Data Initiative was about giving citizens more \nopportunities for actionable data, more transparency in the \ngovernment, and I think in this case it had more to do with the \nfunction of the site, which was to reach as many people as \npossible, to, you know, do some advertising and marketing to \nget to the populations that would be interested in this. And I \nthink they went far beyond what was necessary and far beyond \nwhat their own government has suggested and prescribed.\n    Mr. Johnson. I am running out of time.\n    Mr. Wright, same question to you. Do you think that \nallowing this Open Data Initiative, have we potentially \ncompromised American citizens\' privacy on HealthCare.gov given \nwhat we already know about the security inadequacies of the \nsystem?\n    Mr. Wright. My opinion would be yes because it is a--\nbecause now what you are mandating is a philosophy and a \ndirection to say everything will be shared except for maybe \nsome certain things. So people may be interpreting what the \nintent of the Executive Order was and they are attempting to do \nthings, but without clear guidance, without clear structure, \nwithout clear privacy and security, you then get the law of \nunintended consequences, which is the information is used \nimproperly and collected improperly and collected in an \nunabated fashion.\n    Mr. Johnson. I tend to agree with you, Mr. Wright. I \nrespect your opinion, Ms. De Mooy, but as someone who has had \nto provide security to systems--in systems, I personally think \nwe have opened the proverbial barn door and the cows are going \nto get out. And with that, I--my time is expired.\n    Ms. De Mooy. I am sorry. I just had one additional comment \nto make, sir.\n    Just--I think The Open Data Initiative should be coupled \nwith the understanding that trust is necessary. The people \nneeded to have trust in the systems and particularly when it \ncomes to healthcare Americans shouldn\'t have to choose between \nprivacy and health.\n    Mr. Johnson. Oh, my goodness, Madam Chair, you are exactly \nright. The people should be able to trust, but the \nAdministration has demonstrated clearly that it is not a \ntrustworthy system.\n    Ms. De Mooy. Right, and perhaps proverbial--\n    Mr. Johnson. Security was never designed into the system in \nthe first place.\n    Chairwoman Comstock. Thank you.\n    I now recognize Mr. Beyer for five minutes.\n    Mr. Beyer. Thank you, Madam Chair.\n    Mr. Wright, I just wanted to clarify one thing. You suggest \nin your testimony that personally identifiable information was \nreleased from HealthCare.gov and it is true that information \nwas released to third parties--we have heard about this, the 50 \npeople--50 agencies, and there certainly are legitimate \nprivacy-related questions, but from everything I know there is \nno PII data that was actually released and certainly no medical \nrecords.\n    Unfortunately, we have seen many, many other instances of \nPII data released on a frequent basis. Last year, eBay revealed \nthat hackers had stolen the personal records of 233 million \nusers, including usernames, passwords, phone numbers, and \nphysical addresses. Anthem, we talked about, with the 80 \nmillion. My wife seems to get a new credit card every 90 days \nbecause the bank sends her a note saying the credit card has \nbeen compromised. And these are all unfortunate circumstances \nbut they point to larger issues, security and privacy, but I \ndon\'t think they point to specific PII data from \nHealthCare.gov. Your comments?\n    Mr. Wright. No, correct. And it is not the implication that \npeople\'s complete PII was released, but when you take pieces of \ninformation such as your age, your income, whether you are \npregnant or not or you smoke, the whole point about the ability \nto correlate from large amounts of data sets, your visit at \nHealthCare.gov combined with information from other data \nbrokers or other things that you have done has now created the \nopportunity, and actually the end result then is the disclosure \nbecause you provided the key components that link behavior on \none side or behavior on the internet now to very specific \ninformation about you.\n    The Chair, when she released her statement, is one of the \nthings in my written testimony about MIT. We have now gotten to \nthe point on the internet to where there is so much data \nfloating out there it takes very small steps to be able to \ncreate a profile on user to understand where you live, what you \ndo, what your interests are. Marketers use it all the time but \nthe issue--the difference between the public sector and the \nprivate sector is if my information gets exposed from eBay, \nthere will be 1,000 attorneys filing class-action lawsuits. \nUnfortunately, with the immunity of the federal government, \ncitizens don\'t have the same recourse. So to your point, that \nhigher standard needs to be there. So because I don\'t have that \nrecourse I should then have the higher standard to not have to \nworry about that.\n    But in total agreement, no specific PII was released, but \nthe combination of factors and bringing it all together, it is \nthe totality of the circumstances, not an individual action.\n    Mr. Beyer. Okay. Thank you very much.\n    Ms. De Mooy, is there any reason not to prohibit third-\nparty vendors and can the website even be evolved to work \nwithout outside vendors, in-house data analytics? And I wonder, \ntoo, this is very speculative, but we know how tortured the \nrollout of HealthCare.gov was. How much of this do you think \nwas the crashing and burning of CGI and the replacing with \nAccenture and all the firms trying to put Humpty Dumpty back \ntogether again?\n    Ms. De Mooy. Well, I appreciate that analogy. I don\'t have \nany knowledge about the mechanisms that went on. I can \nspeculate that when you hire a lot of outside vendors to work \non one project, that the communications can fall apart. And I \nthink in this case, when I look at the site design, it feels to \nme a bit lazy. And like I said before, the easiest thing is to \njust allow rampant sharing. It is a little more technical and \nin fact more well-designed to limit that sharing.\n    Yes, the government could do some of the analytics, \ndefinitely the analytics in-house. They could create sharing \nbuttons. They could have, you know, really ironclad privacy \npolicy that includes privacy policies for their third parties \nas opposed to sort of adopting the policies of their third \nparties.\n    Mr. Beyer. You had mentioned that we need comprehensive \ndata privacy legislation.\n    Ms. De Mooy. Correct.\n    Mr. Beyer. Is there such model legislation out there?\n    Ms. De Mooy. We are waiting on the White House. They had \nsaid that they would release it 45 days after the President\'s \nState of the Union address.\n    Mr. Beyer. Okay. Great. Thank you.\n    I yield back, Madam Chair.\n    Mr. Wright. Could I actually add just one comment? Is that \nokay?\n    To your point, though, actually I think one of the things \nthat would help is really not a technical issue. Back in my day \ndoing work inside the justice, the intelligence community, the \none thing that always had to be there was that executive \nsponsorship, that single point of contact who is what--we used \nto call it the single throat to choke. I think something that \nwould vastly help and I think the implementation of Accenture \nover CGI, bringing in people who actually have the ability to \ndo that leadership and create that single point of leadership. \nI think that is one of the biggest failures is there was no \nsingle prime in charge of the entire project. We had a lot of \nstovepipes, which we know from information sharing caused \nproblems. I think the biggest thing they could do is really get \ndown to that single point of contact, who is the true leader \nthat I can go to, push their belly button, and solve all of my \nproblems?\n    Mr. Beyer. Thank you very much.\n    Chairwoman Comstock. Good. I now recognize Mr. Posey for \nfive minutes.\n    Mr. Posey. Thank you, Madam Chairman.\n    I understand the purpose of retargeting. When I look at a \nbarbecue or a bathroom vanity or a power tool on a hardware \nstore website, I understand, but it doesn\'t necessarily make me \ncomfortable that the same product pops up on the next website \nthat I visit. And, you know, I understand the idea that \ncompanies want to be able to target me in a similar way, but I \ndon\'t understand why HealthCare.gov would feel the need to have \nsuch similar tactics incorporated as to hardware store or \nZappos or whatever. I mean it seems like a larger invasion of \nprivacy. It seems like a larger invasion of privacy to me. Just \nwondering what your thoughts are, both of you?\n    Ms. De Mooy. Thank you for the question. I think the reason \nthat I would imagine that the government would give for doing \nretargeting, which, as I said before, it isn\'t certain--it \nappears to be likely but it is uncertain--the reason they would \nhave done that would be to find the people who needed the \ninformation, so to reach into communities where people who \ndon\'t have health insurance live, go to the sites, and the way \nthat they would learn this is by, you know, sharing the \ninformation and learning where people come from to where they \nfirst learned about it and link to the site and go and making \nsure that they are advertising at that site.\n    One of the problems with that in terms of--from a privacy \nadvocacy perspective is that when you reach into communities \nsuch as those that don\'t have health insurance, you are often \nreaching into communities that are disadvantaged, and there \nhave been studies and surveys that show that people who are \ndisadvantaged tend to suffer more privacy harms in terms of \nbeing labeled. I know the Senate Commerce Committee report came \nout that identified some of these labels has ``urban and barely \nmaking it,\'\' ``second city ethnic,\'\' things that are insulting \nto say the least but also can actually accelerate the cycle of \npoverty by sending things like predatory loans and different \nsorts of interest rates.\n    Mr. Wright. I am with you. I confuse privacy and property \nall the time. I think I buy too much online sometimes.\n    My aspect on it though is not from a marketing standpoint, \nbut any time--if you take a penny and you double it, you know, \nevery day for 31 days, you end up with $10,700,000. Every time \nyou add another component, every time you add more things that \nhave to be done, every time you add another third-party \napplication, you just don\'t arithmetically increase the attack \nvectors; you geometrically increase all the things you have to \ndefend against.\n    That is why in my opening statement I talked about, you \nknow, physician, heal thyself. Use a minimally effective dose. \nUse only the things you need to use to accomplish the mission \nyou need to accomplish. It should be a well-defined business \ncase that has security and privacy impacts understood before \nyou do it, and then when you get things like retargeting and \nstuff, then you have very limited scope specifically addressed. \nBut to my--from my perspective, you limit the vulnerabilities \nthen to the site and the amount of things that can be exploited \nbecause one program of itself may be secure, but combined with \nanother one and a third one could create a host of unintended \nvulnerabilities you are not aware of because you have never \ntested that combination of programs before.\n    Mr. Posey. Thank you. And good answers.\n    Is there a requirement or standard or practice for private \ncompanies to inform visitors about third-party analytics?\n    Ms. De Mooy. Yes, sir. Generally, this is done through a \nprivacy policy, which I would imagine most of us in here don\'t \nread. I know that I have been guilty of that. They are very \nlengthy usually in sort of a legalese that is difficult for \nmost people to wade through. So we almost always agree if it is \nsomething that preempts joining a service or a site.\n    The government in this case should be held to a higher \nstandard than that in my opinion not just because the \ngovernment should be the steward of privacy and security but \nalso because, as I said, people don\'t have a choice. They need \nto go to this website and they should have been given a choice \nabout whether to share their data.\n    Mr. Posey. Mr. Wright?\n    Mr. Wright. And actually just one point, I mean do you know \nhow many companies would pay big dollars to guarantee 10 \nmillion visitors to their site? I mean it is--there is a--that \nis, you are right, big money, and there is no choice for them \nto go to that. And so to that point it does need to be a higher \nstandard because they don\'t have a choice. Consumers have a \nchoice of going to private websites. They also have the choice \nof litigation. So with Anthem, with eBay, with all the other \nones, there will be litigation over this but is very difficult \nto sue the federal government.\n    Mr. Posey. Very good.\n    Thank you, Madam Chair. I yield back.\n    Chairwoman Comstock. Thank you.\n    I now recognize Ms. Bonamici for five minutes.\n    Ms. Bonamici. Thank you very much, Chair Comstock and \nRanking Member Lipinski.\n    This has been a very interesting discussion, and I have to \nsay that it really highlights the issues of--two issues of \nimportance: access to healthcare and protection of personal \nprivacy. I spent part of this morning in a hearing in the \nEducation Committee about privacy regarding student records, \nand I said then and will say again that whenever we are talking \nabout legislating in the area of technology, it is always a \nchallenge to find the right balance because, as we all know, \nthe technology advances usually a lot quicker than the \nlegislation so we want to make sure that we are finding the \nbalance that protects people\'s privacy but does not inhibit \nvalid, useful purposes for technology and advances in \ntechnology.\n    So I really do look forward to hearing from CMS and hearing \ntheir answers. I know we have had some hearings on this issue \nbefore but highlighting from them. As Ranking Member Beyer \nsaid, it would have been best to have them answer questions \nfirst and then we could follow up on what they said.\n    But, you know, I want to say that we all acknowledge that \nthere are legitimate problems with HealthCare.gov. Certainly in \nmy State of Oregon we did not do a good job at all with that. \nBut it is also important to remember that the Affordable Care \nAct is about more than a website; it is about access to \nhealthcare for millions of Americans.\n    I want to make sure that we don\'t, in this hearing and \nother hearings in the future, spread any sort of unfounded fear \nor misinformation when really our constituents are looking for \nclarity. So I hope we can help inform them about ways that they \ncan protect their privacy online and specifically keep their \npersonal information safe.\n    And I want to ask you, Ms. De Mooy, and follow up on the \nconversation you were having with Mr. Posey, that you say in \nyour testimony that consumers from disadvantaged communities \nface more potential harm such as being profiled in databanks. \nSo given the importance of the Affordable Care Act to \ndisadvantaged communities that have historically lacked access \nto affordable healthcare, how can HealthCare.gov do a better \njob of serving those consumers while also protecting their \nprivacy?\n    Ms. De Mooy. Thank you so much for the question.\n    The government needs to implement the recommendations that \nI outlined my testimony that include guidance from OMB that \nreally lays out exactly how a government should interact with \nthird parties. It is very privacy-protective. It is also \npractical in terms of using sharing technologies, using web \nanalytics technologies.\n    And also my fellow witness brought up and I should mention \nthe GAO report in 2014, which appears to have been ignored. I \nam not sure exactly if that is the truth, and it would be \nreally good to hear from the Administration on the progress, \nbut those are also excellent privacy and security guidances \nthat the report gave. So I would say that that would be a good \nstart. And it is actually--as opposed to a data breach, it is \nsomething the government can do right now.\n    Ms. Bonamici. Right. And I look forward to following up on \nthat when the Administration is here.\n    So we talked a lot about the personally identifiable \ninformation, or the PII, and I am just intrigued by this whole \ndiscussion because, you know, we--Mr. Posey was talking about \nZappos and shopping online and how he gets those ads, and not \nto minimize the issue, but say, for example, someone is \nsearching for a cure for morning sickness or newborn clothes, \nmight someone figure out that perhaps they were pregnant? Or \nwhat if they shopped for some sort of product to quit smoking? \nMy point is that there are a lot of ways that I guess these \nthird party companies can figure out those personal--personally \nidentifiable issues.\n    So just to confirm, has any personally identifiable \ninformation been gathered through HealthCare.gov--been used \nimproperly?\n    Mr. Wright. You bring up a very good question. By the way, \nsorry about the Ducks. They beat Florida State, Notre Dame----\n    Ms. Bonamici. Oh, I was----\n    Mr. Wright. --so I am with you on that.\n    Ms. Bonamici. Sorry you reminded me about that, though. I \nam still recovering.\n    Mr. Wright. Yeah. The issue is--and I go back to it--it is \nthe GAO report. It is what I said November 18, 2013. They have \nnever done an end-to-end security test, so until you do, you do \nnot know that PII has never been exposed. All you can say is as \nfar as we know, which back in my days as a detective always got \nme in trouble with the defense attorneys, as far as I know, so \nyou don\'t know everything, you just know that.\n    Ms. Bonamici. Yeah, and I understand that they did an end-\nto-end security review in December and they are currently \nreviewing that, so we will make sure that we ask about that \nwhen----\n    Mr. Wright. Well, actually it was a review of controls as \nopposed to an end-to-end full system security test of the \nproduction system.\n    Ms. Bonamici. Thank you. And I do want to try to squeeze a \nquestion in----\n    Mr. Wright. Sure.\n    Ms. Bonamici. --in the last couple seconds about human \nfactors, research, and I know that--I mean, Ms. De Mooy, you \ntalked about how people just tend to click without reading \npolicies. They are given to following what is convenient, don\'t \nunderstand the fine print or the options, so is there some \nresearch that we can do or that can be done that will help \ninform consumers so that they can better protect their privacy \nand defend against cybersecurity threats? Is there certain \nkinds of research that we need to help our consumers and \nconstituents?\n    Ms. De Mooy. Honestly, no. There have quite a few reports \nand studies done and I think almost every aspect of this has \nbeen looked at and picked apart either by academics or \ntechnologists or advocates. I think simply entities, government \nentities, commercial entities, need to take privacy \ninsecurities very seriously and not view the opportunities to \nget data as, ``I will collect as much as I can and then figure \nout what to do with it later,\'\' but to have very solid systems \nin place that include privacy risk assessments and privacy \nmodel threats, which is, you know, something that is a sort of \na wonky thing to say but is actually very useful, even for the \naverage person to consider what data may be getting out there \nabout you, to really take the resources that are available \nonline to look at your data profile. There are some companies \nthat allow that. There are some that give you sort of your \nadvertising profile.\n    Those resources are helpful but I think really the onus is \non especially the government to lead the way by having the \nhighest standard of privacy and security and then to create \nlegal incentives for companies to protect and safeguard user \ndata.\n    Ms. Bonamici. Thank you so much, and my time has expired. I \nyield back.\n    Thank you, Madam Chair.\n    Chairwoman Comstock. Okay. And now I recognize Mr. Palmer \nfor five minutes.\n    Mr. Palmer. Thank you, Madam Chairman.\n    Following on that line of questioning, in the Anthem hack, \nthe hackers got access to medical IDs and that is a little bit \nmore problematic than just finding out what drugs people buy \nand whether or not they exercise, that sort of thing. Would it \nnot create some issues in regard to violation of the HIPAA laws \nif a company bought that data and was able to specifically \ntarget advertising to people, for instance, who are diabetic or \nhave certain other conditions? Let me address that Mr. Wright.\n    Mr. Wright. I remember the initial creation of HIPAA and \nstuff and I know a lot of that dealt with the encryption. I am \nnot an expert on HIPAA so I don\'t even want to pretend that I \ncan answer that completely.\n    Mr. Palmer. Well, let me simplify it.\n    Mr. Wright. Yes.\n    Mr. Palmer. It is against the law to disclose individual \nhealth--patient information.\n    Mr. Wright. Correct.\n    Mr. Palmer. The doctor can\'t do it without your permission.\n    Mr. Wright. Correct.\n    Mr. Palmer. He can\'t share it with anyone, and that medical \nID could potentially get people access to that, that they would \nthen sell that information. And it seems to me that if this is \ngoing on, there ought to be some legal recourse that either the \ngovernment takes or the individuals take against companies who \nbuy the data. It needs to go both ways, not just going after \nthe hacker but going after the people who are buying the \ninformation. It is almost like buying fenced goods.\n    Mr. Wright. Um-hum.\n    Ms. De Mooy. Sir, I think one thing that would help would \nbe some transparency into the system, which there is very \nlittle of it right now. Second, I would just say that HIPAA \ndidn\'t apply in this case. The HealthCare.gov website was not a \ncovered entity, which is--HIPAA is, you know, a really \ncomplicated law. I struggle to understand it. But I know that \nit did not fall under the categories of covered entities.\n    Mr. Palmer. Okay. And in that regard, when people are \nbasically being forced into a system, does it not make sense \nthat the government gives them an opportunity to opt out of \nproviding certain data or even allowing their data to be \nshared?\n    Mr. Wright. I think--and it should be very clear because \nyou are on a government system. I mean it is about transparency \nbecause that information you are talking about, collection, can \nalso be used to target a consumer from an individual standpoint \nof access to their medical records, their financial records. We \nknow that these phishing attacks have been successfully done by \nthe Chinese, by the Russians, by other folks targeting specific \npeople. Unit 6139A specifically targeted people by a collection \nof a lot of information. The more information you can get it, \nit becomes--to a behavioral standpoint, I used to instruct \nbehavioral analysis like out at the NSA. I will tell you this, \nthat if I can get inside your mind and I can make you believe \nit is a legitimate email because I have enough detail and I can \nconvince you, now I can compromise your identity.\n    That is the scary part about medical identity because now \nthat the payment system will be coming online, the ability to \ncommit fraud with somebody\'s medical identity, as the Chair \npointed out, 10 times greater than straight identity theft, the \nvalue of that information.\n    Mr. Palmer. All right. In a report from last August--or \nAugust of last year, which I guess would be last August, HHS \nInspector General found that the value of the 60 contracts that \nwere issued to develop and operate HealthCare.gov totaled $1.7 \nbillion. At the end of last year Accenture was awarded a five-\nyear contract to fix HealthCare.gov that totaled $563 million. \nAltogether now we have spent at least $2.3 billion on this \nfailed website. How much do you estimate that it is going to \ncost to implement your suggestions to secure it?\n    Mr. Wright. My original testimony back in November there is \na rule of thumb that says if it costs $1 to fix it before it is \nlaunched, it costs $10 to fix it after it is launched. In an \nobservation--\n    Mr. Palmer. I think it is going to be a little bit more \nthan 10, though, so what----\n    Mr. Wright. Well, I mean it is--what I am saying is that if \na problem--\n    Mr. Palmer. It is a tenfold issue?\n    Mr. Wright. It is a tenfold issue. So if it costs you $1 \nmillion before launch you could have fixed it, it will cost you \n$10 million after launch. And, you know, my dad was a World War \nII vet. They fought and completed World War II, built numerous \nships, numerous--thousands, hundreds of thousands of planes and \ntanks with far less--in far less time, and my concern is this \nwill keep going because they are not addressing the fundamental \nissues.\n    Mr. Palmer. I would like, if you don\'t mind, for you to get \nback to the Committee and give us a number. And in regard to \nyour last point there, I used to work in engineering and we had \na saying that there is never time to do it right but there is \nalways time to do it over. Apparently, that is the case here.\n    Thank you, Madam Chairman.\n    Chairwoman Comstock. Thank you.\n    And I yield to Mr. Tonko for five minutes.\n    Mr. Tonko. Thank you, Madam Chair.\n    The traffic to the federal government health insurance \nwebsite was up 58 percent compared to the same time last week \nin a week-to-week measurement. That was some 275,000 \nindividuals that signed up, making it the busiest enrollment \nperiod of the past two months, and the comparisons from last \nyear to this year are ``as an experience, pretty dramatic.\'\' \nWhat is your reaction to that?\n    Ms. De Mooy. My reaction is that the government should \nimmediately implement some of these recommendations to make \nsure that no, as I said, American should have to choose between \ntheir data sharing and their health.\n    Mr. Tonko. Does it indicate any sort of comfort zone with \nthe website?\n    Ms. De Mooy. I think that is difficult to say. I think \nthere is a deadline looming and so the government has tried to \nget as many people who need this service to make sure that it \nis in front of them and available to them. But the fact that \nthey have reduced data sharing is good; they just need to do \nmore.\n    Mr. Tonko. Um-hum. And it seems like over the past 10, 20 \nyears the expectations of privacy have diminished dramatically. \nDo you think that that is true and what can we do to ensure \nthat private personal data stay private?\n    Ms. De Mooy. I don\'t think that is true. It is something \nthat I hear quite a bit and I usually hear from people who have \ncurtains and people who like to wear pants, for example, sort \nof not clever way but people care about privacy. It is a part \nof autonomy. It is at the heart of it. And when you take that \nautonomy away, in this example, where the government didn\'t ask \nor get permission, then you are removing a fundamental right \nthat we have.\n    I think there are steps that--especially in the case of \nHealthCare.gov--that can be taken to ensure more privacy, to \nensure autonomy and freedom, and so that when people go, they \nhave the option of whether they want to share this kind of \ndata. Certainly in the health context it is more sensitive.\n    I think companies have options. I think privacy is in \nitself an innovation. To speak to your point about making sure \nthat we don\'t limit innovation, you know, the internet, I \nremember a time when the internet was not something that people \nused to buy things from. It was literally too scary to do that \nbut privacy became an innovation that allowed that to happen.\n    Mr. Tonko. Um-hum.\n    Ms. De Mooy. And I think in this atmosphere of data \nsharing, rampant data sharing, that needs to happen once again.\n    Mr. Tonko. Ms. De Mooy, one of your recommendations that \nwould address the wider problems beyond HealthCare.gov was to \nstrengthen legal incentives for companies to better safeguard \ndata. Can you speak more directly to this and what it would \nlook like and why it is necessary?\n    Ms. De Mooy. Sir, I think that is something I could get to \nyou in writing. In our written testimony that sort of lays out \nsome of our recommendations. And CDT has done quite a bit of \nwork on policy in that and I think I would do it a disservice \nto sum it up now. But I can say that in the President\'s \ncomprehensive Consumer Privacy Bill of Rights, what that did \nwas create a framework for legislation around the fair \ninformation practice principles, which have guided privacy and \nsecurity for decades and are sort of renowned as something that \nis flexible and nimble enough to address new technologies. I \nthink that would be a start for there to be sort of a baseline \nconsumer privacy legislation, something that we have been \nsorely lacking in the United States.\n    Mr. Tonko. And are there steps that you believe can be \ntaken by private industry or commercial companies, internet \nproviders to help limit the amount of personal data these \nenterprises collect?\n    Ms. De Mooy. Absolutely. I think data minimization is a \nterm that we use to describe when a company has a purpose for \ncollecting a data point and that it stops collecting after that \npurpose has been fulfilled. It is a kind of simple concept but \none that is lost, especially in the rampant data collection \nonline. So implementing a real understanding of why you need a \npiece of data and not just collecting every single piece that \nyou can get would drastically reduce the risks to people in \nterms of security and privacy.\n    Mr. Tonko. Um-hum. Is there a point where that could become \nunrealistic?\n    Ms. De Mooy. Data minimization?\n    Mr. Tonko. Um-hum.\n    Ms. De Mooy. To my understanding, no. I think data systems \nare designed from the beginning, and when they use privacy \nprinciples such as data minimization, it is very possible. You \nknow, there is really no system that I know of the needs every \nsingle thing about you in order to function. Usually we use \nservices and apps for a specific purpose. And so I think that \nis absolutely doable.\n    Mr. Tonko. Okay. Thank you very much, and with that, I \nyield back, Madam Chair.\n    Chairwoman Comstock. Thank you.\n    And thank you to our witnesses.\n    I think we are supposed to have some votes sometime in the \nnext few minutes here, so I think we will be able to close out \nnow. But I really want to thank you and appreciate your \nexpertise.\n    And while, you know, we might have in the normal order--\ncertainly we ask the government to give us answers to the \nletters we sent, but I think your expertise and the information \nyou provided I think will help illuminate that hearing, and so \nI hope any ideas you might have for us and questions to ask, \nthat you will feel free to come forward because I think what \nyou have demonstrated through your discussion and the expertise \nthe you have is that we don\'t have to, nor should we have to \nmake the choice between privacy and being able to use our \nmodern technology.\n    I mean we have always been able to match technology with \ntechnology if we approach it with the right principles. That is \nsort of the new way we have to work on things in the 21st \ncentury. So I think the very specific things that you pointed \nout here and certainly doing this on the front end is much less \ncostly. So I think as we set up practices I think it has been \nhelpful for you to--the information you have given us and I \nlook forward to our next testimony in light of the information \nyou have given us.\n    And I do invite you to provide us with any additional \ninformation that you think might be helpful as we hear from the \ngovernment, as we learn more going along. It would be helpful \nfor us for the record.\n    And the record for this hearing will remain open two weeks \nfor additional comments and written questions from Members. And \nthe witnesses are excused and this hearing is adjourned. Thank \nyou.\n    [Whereupon, at 4:04 p.m., the Subcommittees were \nadjourned.]\n                               Appendix I\n\n                              ----------                              \n\n\n                   Answers to Post-Hearing Questions\n[GRAPHICS NOT AVAILABLE IN TIFF FORMAT] \n\n\n                   Answers to Post-Hearing Questions\nResponses by Ms. Michelle De Mooy\n[GRAPHICS NOT AVAILABLE IN TIFF FORMAT] \n\nResponses by Mr. Morgan Wright\n[GRAPHICS NOT AVAILABLE IN TIFF FORMAT] \n\n\n                              Appendix II\n\n                              ----------                              \n\n\n                   Additional Material for the Record\n[GRAPHICS NOT AVAILABLE IN TIFF FORMAT] \n\n\n            Prepared Statement submitted by Subcommittee on\n             Research and Technology Member Elizabeth Esty\n\n    Thank you to the Committee for holding this hearing on privacy and \nsecurity concerns on HealthCare.Gov, and thank you to our witnesses for \nyour time. Since so much of our personal business--from paying our \ncredit cards to applying for mortgages to choosing health insurance--is \nnow conducted online, it is all the more important that we maintain a \nstrong cyber infrastructure to protect our security and personal \nprivacy.\n    In Connecticut, we established our own health insurance \nmarketplace, Access Health CT, for residents to shop for and secure \nhealth insurance. Over half a million Connecticut residents have \nalready enrolled in health insurance plans through Access Health CT, \nand in 2014 our state\'s uninsured rate was cut in half. I am encouraged \nby the level of success we have achieved in Connecticut, and I look \nforward to working with my fellow Committee Members to ensure that \nAmericans across the country have access to affordable healthcare \nwithout compromising their privacy and personal information.\n      Letters Submitted by Subcommittee on Research and Technology\n                      Chairwoman Barbara Comstock\n[GRAPHICS NOT AVAILABLE IN TIFF FORMAT] \n\n\n               Documents to Support Letters Submitted by\n  Subcommittee on Research and Technology Chairwoman Barbara Comstock\n[GRAPHICS NOT AVAILABLE IN TIFF FORMAT] \n\n\n                                 [all]\n</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body></html>\n'