According to an internal memo at the Centers for Medicare and Medicaid Services (CMS), the administration had “only partly completed” a full assessment of the website’s security features ahead of the October 1 launch of the exchanges. The potential lack of security was determined to be “a risk that must be accepted” in order to meet that deadline.
“You accepted a risk on behalf of every user of this [website] that put their personal financial information at risk,” Rogers told Sebelius, “because you did not even have the most basic end-to-end test on security of this system. Amazon would never do this; ProFlowers would never do this; Kayak would never do this.”
One reason they wouldn’t is that, if any of these companies had done this, they would almost certainly have faced serious legal action under Section 5 of the FTC Act, which prohibits endangering consumers by “failing to maintain security for sensitive consumer information.” The FTC has pursued such action on 32 occasions since May 2011. “When companies tell consumers they will safeguard their personal information,” the commission notes on its website, “the FTC can and does take law enforcement action to make sure that companies live up to these promises.” Swindle suggests that a violation like that of HealthCare.gov could even warrant a referral to the DOJ for criminal charges.
Heather R. Higgins, president and CEO of Independent Women’s Voice, and founder of the Repeal Coalition, recently wrote on National Review Online that the GOP’s anti-Obamacare strategy should include demanding “that the standards that apply in the private sector to protect consumers against fraud, including bait-and-switch and determinations of liability, will apply to the government’s efforts as well.”