March 23,2016

Press Contact:

Aaron Fobes, Julia Lawless (202)224-4515

Senate and House Committee Leaders Seek Answers from Administration on 316 Security Breaches on HealthCare.gov

WASHINGTON, March 23 – Republican committee leaders in the Senate and House today asked the administration for information about the 316 security breaches on HealthCare.gov catalogued in a new report released by the nonpartisan government watchdog, the Government Accountability Office (GAO).
 
The Senate and House members sent a letter to Health and Human Services Secretary Sylvia Burwell and Centers for Medicare & Medicaid Services Acting Administrator Andy Slavitt seeking information about the report finding that between October 2013 to March 2015, HealthCare.gov had 316 security incidents, including 41 which involved personally identifiable information.
 
The letter was sent by Senate Finance Committee Chairman Orrin Hatch (R-Utah), Senate Health, Education, Labor and Pensions Committee Chairman Lamar Alexander (R-Tenn.), House Energy and Commerce Committee Chairman Fred Upton (R-Mich.), House Ways and Means Committee Chairman Kevin Brady (R-Texas), House Oversight and Government Reform Committee Chairman Jason Chaffetz (R-Utah), Senate Judiciary Committee Chairman Chuck Grassley (R-Iowa), Senate Commerce Committee Chairman John Thune (R-S.D.) and Senate Committee on Homeland Security and Governmental Affairs, Permanent Subcommittee on Investigation Chairman Rob Portman (R-Ohio).
 
They wrote: “In order to assist us in fulfilling our oversight responsibilities, ‎please send us a list and description of every security incident involving HealthCare.gov since October 2013, including how many individuals’ records were compromised, whether the incident involved personally identifiable information, and whether the affected individuals were notified. Please also send the HHS Breach Response Team’s charter and Standard Operating Procedures, its annual reports since 2013, the CMS breach response plan, and the after-action reports for each security incident.
 
“If HHS did not inform affected individuals, we urge you to change that policy immediately.”
 
The leaders, who had previously requested information from the administration about the website’s security, told Secretary Burwell they were concerned that they had not earlier been informed of the security breaches.
 
They requested a reply by April 6, 2016.
 
Read the complete letter online HERE.
 
Details from the GAO report include:
·         Between October 2013 to March 2015, HealthCare.gov had 316 security incidents, including 41 which involved personally identifiable information.
·         GAO reported that HHS does not have complete records of how many people these incidents impacted and whether impacted individuals were notified.
 
Click here and here to view letters sent by House and Senate leaders on September 17, 2014 on January 30, 2015 raising concerns about the security of HealthCare.gov.
  

###