It’s Henry Chao, who warned people back in March that he was “nervous” about the state of Healthcare.gov’s development and hoped that using the site wouldn’t be “a third-world experience.” Eight months later, that’s exactly what it is: The front end barely functions, the back end is a ripe target for thieves, and the people in charge are either dangerously ignorant about its operations or covering up what they knew. Money quote from CBS’s story about this:
Chao said he was unaware of a Sept. 3 government memo written by another senior official at CMS. It found two high-risk issues, which are redacted for security reasons. The memo said “the threat and risk potential (to the system) is limitless.” The memo shows CMS gave deadlines of mid-2014 and early 2015 to address them…
It was Chao who recommended it was safe to launch the website Oct. 1. When shown the security risk memo, Chao said, “I just want to say that I haven’t seen this before.”
A Republican staff lawyer asked, “Do you find it surprising that you haven’t seen this before?”
Chao replied, “Yeah … I mean, wouldn’t you be surprised if you were me?” He later added: “It is disturbing. I mean, I don’t deny that this is … a fairly nonstandard way” to proceed.
Note well: The estimated fix for the unspecified security problems was the middle of next year at the earliest. HHS says they rolled out the site on October 1 even though it wasn’t functioning because they thought they could fix it on the fly relatively quickly after launch. This memo proves that that’s a lie.
Now, the question: Did Chao lie to the committee about not having seen the Sept. 3 memo before or was there a deliberate effort within CMS to withhold the extent of the site’s problems from supervisors like him so that they’d greenlight it for launch as scheduled? If the latter, who’s responsible? As it turns out, the memo was written by — ta da — Tony Trenkle, lead tech officer for Healthcare.gov who left last week under mysteriously vague circumstances. As CBS reported, Trenkle himself never signed off on security for the site in September; it was his boss, Marilyn Tavenner, who signed the authorization, supposedly because she thought that a project this big should carry the John Hancock of the head of CMS. Is that the truth, or did Trenkle refuse to sign because he knew the site’s security was a travesty and couldn’t in good conscience authorize launching it? The fact that he wrote such a dire memo about “limitless” risk suggests that he knew the extent of the problem — and yet, if you believe Chao, that information somehow never made its way to the project manager. Why? Why are there so many unorthodox procedures related to approval of the site’s security here? Did Tavenner, at least, see Trenkle’s memo before she authorized the launch or was it withheld from her too? If she did see it, why didn’t she tell Obama and Sebelius that security was too weak to justify rolling it out now?
I assume CMS will try to pin all of this on Trenkle by claiming he didn’t do enough to warn his superiors about how bad things were. And yet the fact remains: He wrote the memo. He wanted someone to see it. The language he used was sufficiently alarming that Chao himself said it was “disturbing” that he hadn’t seen it before when it was handed to him at the hearing. It can’t be Trenkle who suppressed the bad news about security. Whodunnit?