In a letter sent Tuesday to Hawaii Gov. Neil Abercrombie, the chairman of the U.S. House Oversight Committee and two subcommittee chairmen claim the state's online health care exchange failed to conduct a mandatory security assessment before its unveiling late last year.
Click here for Andrew Pereira's report.
The March 25 letter by Republican Reps. Darrell Issa, James Lankford and Jim Jordon follows the trouble-plagued Oct. 15 launch of the Hawaii Health Connector, which came after a two-week delay and was followed by lackluster enrollment numbers.
Issa chairs the Oversight Committee, while Lankford is chairman of the subcommittee on Energy Policy, Health Care and Entitlements. Jordon heads the subcommittee on Economic Growth, Job Creation, and Regulatory Affairs.
In the letter to the governor, the three chairmen claim the Health Connector failed to follow guidelines by the Centers for Medicare and Medicaid Services for a comprehensive security assessment prior to the website going live.
"In fact, Hawaii's failure to conduct a security assessment of its exchange prior to October 1, 2013, appears to violate CMS's Minimum Acceptable Risk Standards for Exchanges (MARS-E)," the letter states.
"This is like a security breech, an identity theft situation kind of waiting to happen," said Peter Kay, chief executive officer of Cybercom Inc., a Honolulu-based Internet technology company.
Issa and his two subcommittee colleagues also claim that the chief information security officer at CMS recommended only four state exchanges be allowed to connect to a federal data hub that helps determine health insurance coverage under President Barack Obama's Affordable Care Act.
The letter states 35 state exchanges were deemed "high risk" and Hawaii was one of them, with a total of "23 High-impact findings."
According to cyber security compliance standards established by the Internal Revenue Service, and National Institute for Standards and Technology highlighted in the letter, a high-risk assessment has the potential to cause a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
State Sen. Josh Green, a Democrat and doctor who chairs the Health Committee, told KITV4 the letter to Abercrombie sounds a "bit political," but is nevertheless "disconcerting."
"If that proves to be true, then there's going to be hell to pay," Green said of the Health Connector's alleged failure to test security. "I'm sure it's going to totally erode people's confidence that it's safe and secure."
To date, 5,744 individuals have obtained health insurance through the Health Connector since its launch five months ago. Before obtaining coverage, an applicant must supply their Social Security number, date of birth and income.
"With that data, someone could get access to practically anything," said Kay.
In a statement issued late Thursday by Abercrombie's chief adviser on technology and cybersecurity, Sanjeev "Sonny" Bhagowalia says the Health Connector has complied with all federal regulatory mandates.
"Hawaii's Exchange passed all security certifications required by the Centers for Medicare & Medicaid Services prior to launch on October 15 and has had no security breaches since that time," Bhagowalia wrote in an email to KITV4.
As KITV4 first reported Wednesday, Health Connector interim Executive Director Tom Matsuda has been summoned to Capitol Hill next Thursday to testify before a joint subcommittee chaired by representatives Lankford and Jordon.
The hearing is being called "Examining ObamaCare's Problem-Filled State Exchanges," and is scheduled to begin at 4 a.m. Hawaii time. It will be streamed live on Oversight.House.gov.
"All I can do is tell them what we did, right? And people will just have to draw their own conclusions," said Matsuda when asked Wednesday about his appearance on Capitol Hill.
In addition to Matsuda, health care exchange representatives from nine other states and the District of Columbia have been called to testify.
"I think he's done everything right as far as transparency goes," Green said of Matsuda's leadership of the Health Connector. "So he's probably going to catch heck for failings of the past leadership."
Matsuda took on the role of interim executive director of Hawaii's health exchange in December when Coral Andrews resigned after two years at the helm.
State lawmakers meanwhile must decide whether to fund the Health Connector's operations past the end of the year when the nonprofit organization is supposed to become self-sufficient. The exchange has received more than $200 million in federal grants and has about $95 million left.
Matsuda said he's waiting for a determination by the federal government on how much of the remaining grant money can be spent on the Health Connector's operations, but some local politicians are leery of funding the exchange past 2014.
"It really may be necessary to go toward the feds and then just use our Connector in a very local information-based way," said Green.
Initial estimates show it may take up to $15 million per year to keep the Health Connector afloat until Hawaii can apply for a state innovation waiver in 2017.
In the letter to the governor, the three Republican representatives ask for all documents related to the Health Connector's creation, as well as those concerning cyber security, by April 8.
"I don't care whether it's Republicans or Democrats in charge of these investigations," said Green. "I think that they have every right... to have all the information, all the contracts (and) all the technical specifications so that they can see whether people are being treated well."
To see the correspondence sent to Gov. Abercrombie, click here: March 25, 2014 letter