[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]
CAN AMERICANS TRUST THE PRIVACY
AND SECURITY OF THEIR
INFORMATION ON HEALTHCARE.GOV?
=======================================================================
JOINT HEARING
BEFORE THE
SUBCOMMITTEE ON RESEARCH AND TECHNOLOGY &
SUBCOMMITTEE ON OVERSIGHT
COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY
HOUSE OF REPRESENTATIVES
ONE HUNDRED FOURTEENTH CONGRESS
FIRST SESSION
__________
FEBRUARY 12, 2015
__________
Serial No. 114-6
__________
Printed for the use of the Committee on Science, Space, and Technology
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://science.house.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
93-884 PDF WASHINGTON : 2015
_____________________________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].
COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY
HON. LAMAR S. SMITH, Texas, Chair
FRANK D. LUCAS, Oklahoma EDDIE BERNICE JOHNSON, Texas
F. JAMES SENSENBRENNER, JR. ZOE LOFGREN, California
DANA ROHRABACHER, California DANIEL LIPINSKI, Illinois
RANDY NEUGEBAUER, Texas DONNA F. EDWARDS, Maryland
MICHAEL T. McCAUL FREDERICA S. WILSON, Florida
STEVEN M. PALAZZO, Mississippi SUZANNE BONAMICI, Oregon
MO BROOKS, Alabama ERIC SWALWELL, California
RANDY HULTGREN, Illinois ALAN GRAYSON, Florida
BILL POSEY, Florida AMI BERA, California
THOMAS MASSIE, Kentucky ELIZABETH H. ESTY, Connecticut
JIM BRIDENSTINE, Oklahoma MARC A. VEASEY, TEXAS
RANDY K. WEBER, Texas KATHERINE M. CLARK, Massachusetts
BILL JOHNSON, Ohio DON S. BEYER, JR., Virginia
JOHN R. MOOLENAAR, Michigan ED PERLMUTTER, Colorado
STEVE KNIGHT, California PAUL TONKO, New York
BRIAN BABIN, Texas MARK TAKANO, California
BRUCE WESTERMAN, Arkansas BILL FOSTER, Illinois
BARBARA COMSTOCK, Virginia
DAN NEWHOUSE, Washington
GARY PALMER, Alabama
BARRY LOUDERMILK, Georgia
------
Subcommittee on Research and Technology
HON. BARBARA COMSTOCK, Virginia, Chair
FRANK D. LUCAS, Oklahoma DANIEL LIPINSKI, Illinois
MICHAEL T. MCCAUL, Texas ZOE LOFGREN, California
STEVEN M. PALAZZO, Mississippi SUZANNE BONAMICI, Oregon
RANDY HULTGREN, Illinois KATHERINE M. CLARK, Massachusetts
JOHN R. MOOLENAAR, Michigan SUZANNE BONAMICI, Oregon
STEVE KNIGHT, California DON S. BEYER, JR., Virginia
BRUCE WESTERMAN, Arkansas EDDIE BERNICE JOHNSON, Texas
GARY PALMER, Alabama
LAMAR S. SMITH, Texas
------
Subcommittee on Oversight
HON. BARRY LOUDERMILK, Georgia, Chair
F. JAMES SENSENBRENNER, JR., DON BEYER, Virginia
Wisconsin ALAN GRAYSON, Florida
BILL POSEY, Florida ZOE LOFGREN, California
THOMAS MASSIE, Kentucky EDDIE BERNICE JOHNSON, Texas
JIM BRIDENSTINE, Oklahoma
BILL JOHNSON, Ohio
LAMAR S. SMITH, Texas
C O N T E N T S
February 12, 2015
Page
Witness List..................................................... 2
Hearing Charter.................................................. 3
Opening Statements
Statement by Representative Barbara Comstock, Chairwoman,
Subcommittee on Research and Technology, Committee on Science,
Space, and Technology, U.S. House of Representatives........... 8
Written Statement............................................ 9
Statement by Representative Daniel Lipinski, Ranking Minority
Member, Subcommittee on Research and Technology, Committee on
Science, Space, and Technology, U.S. House of Representatives.. 10
Written Statement............................................ 11
Statement by Representative Barry Loudermilk, Chairman,
Subcommittee on Oversight, Committee on Science, Space, and
Technology, U.S. House of Representatives...................... 12
Written Statement............................................ 14
Statement by Representative Don S. Beyer, Ranking Minority
Member, Subcommittee on Oversight, Committee on Science, Space,
and Technology, U.S. House of Representatives.................. 15
Written Statement............................................ 16
Witnesses:
Ms. Michelle De Mooy, Deputy Director, Consumer Privacy, Center
for Democracy and Technology
Oral Statement............................................... 18
Written Statement............................................ 21
Mr. Morgan Wright, Principal, Morgan Wright, LLC
Oral Statement............................................... 32
Written Statement............................................ 34
Discussion....................................................... 46
Appendix I: Answers to Post-Hearing Questions
Ms. Michelle De Mooy, Deputy Director, Consumer Privacy, Center
for Democracy and Technology................................... 62
Mr. Morgan Wright, Principal, Morgan Wright, LLC................. 65
Appendix II: Additional Material for the Record
Prepared statement by Representative Elizabeth Esty, Committee on
Science, Space, and Technology, U.S. House of Representatives.. 68
Letters submitted by Representative Barbara Comstock, Chairwoman,
Subcommittee on Research and Technology, Committee on Science,
Space, and Technology, U.S. House of Representatives........... 69
Documents submitted by Representative Barbara Comstock,
Chairwoman, Subcommittee on Research and Technology, Committee
on Science, Space, and Technology, U.S. House of
Representatives................................................ 83
CAN AMERICANS TRUST THE PRIVACY
AND SECURITY OF THEIR
INFORMATION ON HEALTHCARE.GOV?
----------
THURSDAY, FEBRUARY 12, 2015
House of Representatives,
Subcommittee on Research and Technology &
Subcommittee on Oversight
Committee on Science, Space, and Technology,
Washington, D.C.
The Subcommittees met, pursuant to call, at 2:49 p.m., in
Room 2318 of the Rayburn House Office Building, Hon. Barbara
Comstock [Chairwoman of the Subcommittee on Research and
Technology] presiding.
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chairwoman Comstock. The Subcommittee on Research and
Technology and Subcommittee on Oversight will come to order.
Without objection, the Chair is authorized to declare
recesses of the Subcommittee at any time.
Good afternoon. Welcome to today's hearing entitled ``Can
Americans Trust the Privacy and Security of Their Information
on Healthcare.gov?''
In front of you are packets containing the written
testimony, biographies, and truth-in-testimony disclosures for
today's witnesses.
I recognize myself for five minutes for an opening
statement.
Now, the reason we are having the hearing today is just
over three weeks ago on January 20, the Associated Press
reported that as many as 50 data mining companies had access to
consumers' personal and health information on HealthCare.gov.
Companies such as Google, Twitter, Facebook, Yahoo, and
Advertising.com apparently were provided access by CMS, the
Centers for Medicare and Medicaid Services.
Upon learning of this development, Chairman Smith sent
several letters to department heads questioning the practice
and trying to get more information about what actually had
happened, but no one has replied with additional information at
this point.
As reported by AP, ``When you apply for coverage on
HealthCare.gov, dozens of data companies may be able to tell
that you are on the site.'' While the information shared with
these third party companies does not include, apparently, the
healthcare consumer's Social Security number, it appears that a
number of data companies may have had access to consumers' age,
income, ZIP code, smoking practices, pregnancy status, and even
computer IP address.
While some may characterize this as a harmless collection
of data, it can actually be more revealing. A recent MIT study
of credit card data revealed that only four pieces of outside
information about a user, including one's social media
activity, were sufficient to identify a person in the database
of a million people.
The concerns with HealthCare.gov's practice of sharing data
are twofold. There are privacy implications of feeding
consumers' personal data--unbeknownst to them--to third party
vendors, and there are security concerns, because additional
connections to the website can lead to additional
vulnerabilities.
During my first hearing that we had here on the
Subcommittee I shared that I experienced a credit card breach
because someone had ordered $7,000 of products and wrongfully
charged them to my credit card right before Christmas.
Fortunately, that situation resolved fairly quickly and I
wasn't liable for those charges, but what if the information
stolen had been about healthcare? How would that impact
somebody?
You know, you can get a new credit card but when that is
taken or hacked, like whatever happened in that case, but once
personal health information is compromised, personal family
information, other things like that, you don't know where that
may go and it could be out there forever. That is why health
and health insurance information apparently is reportedly worth
up to 10 times as much as credit card information on the black
market.
The risks posed by HealthCare.gov data-sharing are
underscored by the fact that a hacker accessed the website last
July to upload malicious software. Government investigators
found no evidence that consumers' personal data were taken, but
HHS said the attack appears to have been the first successful
intrusion into the website. Many security experts have warned
of vulnerability to hacking since HealthCare.gov went live more
than a year ago.
And just last week, we learned about what might be the
largest data breach against the country's second biggest health
insurer, Anthem. In this case, stolen information for 80
million Anthem members included names, birth dates, Social
Security numbers and medical IDs. That impacted my constituents
so I, and I know other colleagues of mine in Virginia, posted
information about the Anthem situation at my official website
to inform our constituents, but obviously they had very strong
concerns when healthcare information may be at risk.
Today's hearing is a precursor to one at which we will
invite witnesses from the federal government to answer specific
questions about the HealthCare.gov contracts with the third
party companies. I look forward to the insights of both our
witnesses today as the Committee continues its due diligence
over this issue.
And I do want to emphasize that obviously we do want to
hear from the folks at CMS and the Chairman had reached out to
them, but we wanted to proceed and hear from other experts such
as are here today.
[The prepared statement of Mrs. Comstock follows:]
Prepared Statement of Subcommittee
Chairwoman Barbara Comstock
Three weeks ago, on January 20, the Associated Press reported that
as many as 50 data mining companies had access to consumers' personal
and health information on HealthCare.gov. Companies such as Google,
Twitter, Facebook, Yahoo, and Advertising.com apparently were provided
access by CMS (the Centers for Medicare and Medicaid Services).
As reported by AP, ``When you apply for coverage on HealthCare.gov,
dozens of data companies may be able to tell that you are on the
site.'' While the information shared with these third party companies
does not include the health care consumer's Social Security number, it
appears that a number of data companies may have had access to
consumers' age, income, ZIP code, smoking practices, pregnancy status,
and even computer IP address.
While some may characterize this as a harmless collection of data,
it can actually be much more revealing. A recent MIT study of credit
card data revealed that only four pieces of outside information about a
user, including one's social media activity, were sufficient to
identify a person in the database of a million people.
The concerns with HealthCare.gov's practice of sharing data with
companies like Google, Twitter and Facebook are two-fold. There are
privacy implications of feeding consumers' personal data--unbeknownst
to them--to third party vendors, and there are security concerns,
because additional connections to the website can lead to additional
vulnerabilities.
We also should consider this news in the context of President
Obama's announcement that he would bring forward a new online privacy
and cybersecurity proposal later this month. This proposal was
described as building on steps previously taken to ``protect American
companies, consumers, and infrastructure from cyber threats, while
safeguarding privacy and civil liberties.'' It seems to me that what
the AP has reported about Americans' data on HealthCare.gov and what
the President expects of Americans may be in conflict or certainly
raise legitimate concerns.
Privacy protections at federal government websites should be the
gold standard, setting the bar for others to follow. Privacy
protections at federal websites should at least follow the guidance
provided through the Federal Information Security Management Act and
last year's publication of the Cybersecurity Framework by the National
Institute of Standards and Technology. I am interested in hearing from
our expert witnesses about privacy protections for users of
HealthCare.gov.
During my first hearing as Chairwoman of this Subcommittee, I
shared that I experienced a credit card breach because someone had
ordered $7,000 in wrongful charges on my card right before Christmas.
Fortunately, the situation was resolved and I wasn't liable for
those charges. But what if information stolen like this had been
related to health?
You can get a new credit card when your old one is hacked. But once
personal health information is compromised, it could be out there
forever. That is why health and health insurance information is
reportedly worth up to ten times as much as credit card information on
the black market.
The risks posed by HealthCare.gov data sharing are underscored by
the fact that a hacker accessed the website last July to upload
malicious software. Government investigators found no evidence that
consumers' personal data were taken, but HHS said the attack appears to
have been the first successful intrusion into the website. Many
security experts have warned of vulnerability to hacking since
HealthCare.gov went live more than a year ago.
And just last week, we learned about what might be the largest data
breach against the country's second biggest health insurer, Anthem. In
this case, stolen information for 80 million Anthem members included
names, birth dates, Social Security numbers and medical IDs.
I posted information about the Anthem situation at my official
website to inform my constituents.
Today's hearing is a precursor to one at which we will invite
witnesses from the federal government to answer specific questions
about the HealthCare.gov contracts with third party companies. I look
forward to the insights of both our witnesses today as the Committee
continues its due diligence over this issue.
Chairwoman Comstock. Now, before I yield to the Ranking
Member, I ask unanimous consent that the following documents be
placed in the record, which include the letters from Chairman
Smith I referenced earlier.
Without objection, there we go.
[The information appears in Appendix II]
Chairwoman Comstock. Now, I recognize the Ranking Member of
the Research and Technology Subcommittee, the gentleman from
Illinois, Mr. Lipinski, for his opening statement.
Mr. Lipinski. Thank you, Madam Chairwoman.
I want to welcome the witnesses to this afternoon's
hearing.
I am troubled by some of the things we know and some of the
things we don't know about privacy and security on
HealthCare.gov. We have a couple of very good witnesses today
who I look forward to hearing from. Unfortunately, neither of
these experts had any role in developing HealthCare.gov or
decisions regarding privacy and security, but I do hope that
the testimony will help shape some of the questions we should
be asking those who did have a role in those decisions.
Given the problematic rollout of HealthCare.gov and
problems with some state exchange websites such as those with
the D.C. marketplace, it is clear that the implementation of
the technical side of the Affordable Care Act merits
Congressional review and oversight. While HealthCare.gov
functionality has improved since last year and CMS has been
responsive to reports of potential security or privacy
weaknesses as they have been identified, we should continue to
conduct oversight because the type of personal data that is
inputted into the site raises the potential for serious
problems.
Yet we must also make sure that we are clear on the
context. We are here today because of recent news reports about
the use of third-party analytics tools on HealthCare.gov, as
the Chairwoman mentioned. Data analytics tools can be valuable
for tracking how websites are being used and optimizing the
website for the consumer. While I am on the record about my
reservations about the Affordable Care Act, I also understand
the motivation of increasing traffic to the HealthCare.gov
website in an effort to get more people signed up for health
insurance.
However, we must hold the government to the highest
standards for privacy and security. This is especially true for
a website like HealthCare.gov in which people enter highly
private and sensitive information. I have concerns based on the
initial news reports that the high standards may not have been
applied to privacy on HealthCare.gov. However, the news
reports, like today's testimony, have provided more questions
than answers. We must also be careful to distinguish between
privacy and security and where the true vulnerabilities may be
for each. In short, we have a responsibility to gather all the
facts before coming to any conclusions but we need to get those
facts.
I understand, Madam Chairwoman, that you are trying to
schedule a second hearing with Administration officials who
have direct knowledge of the issues before us today. I think
such a hearing, in addition to more staff homework, will be
necessary before we can draw any clear conclusions or proposals
for moving forward.
In addition, I would note that privacy is a big issue
across the internet. Data analytics tools can help improve
customer experience but their ubiquity and integration into the
working of so many websites means that Americans concerned
about their privacy may have little real choice when it comes
to how they can manage the release of their information. Ms. De
Mooy addresses some of that in her testimony and I look forward
to the discussion on the broader issues. While we may hold the
government to higher standards, it is incumbent upon us to
declare the steps we can take to ensure that Americans are able
to safeguard their personal data across the online environment
as a whole.
Finally, while this hearing will focus on online data
privacy, it is critical to recognize that using the internet is
far from the only way for Americans' private information to be
lost. In his testimony, Mr. Wright addresses the difficulty of
anonymizing data and the ease with which individuals can be
identified from just a few pieces of information about their
day-to-day activities such as purchases charged through a
credit card. Given this testimony, this Committee may want to
be careful about efforts to publicly disclose study data
related to the health impacts of the air pollutants used in the
EPA regulation. It is an issue that we debated in the last
Congress and I think this is something that we need to
consider, the problems with anonymizing data, as we move
forward.
I look forward to hearing from the witnesses today, and
with that, I yield back.
[The prepared statement of Mr. Lipinski follows:]
Prepared Statement of Subcommittee
Minority Ranking Member Daniel Lipinski
Thank you Madam Chairwoman. I want to welcome the witnesses to this
morning's hearing on privacy and security on the healthcare.gov
website.
I am troubled by some of the things we know and some of the things
we don't know about privacy and security on healthcare.gov. We have
some very good witnesses today who I look forward to hearing from.
Unfortunately none of these experts had any role in developing
healthcare.gov or in the decisions regarding privacy and security. I do
hope the testimony will help shape some of the questions we should be
asking those who did have a role in those decisions.
Given the problematic rollout of healthcare.gov and problems with
some state exchange websites such as those with the DC marketplace,
it's clear that the implementation of the technical side of the
Affordable Care Act merits Congressional review and oversight. While
healthcare.gov functionality has improved since last year and CMS has
been responsive to reports of potential security or privacy weaknesses
as they have been identified, we should continue to conduct oversight
because the type of personal data that is input into the site raises
the potential for serious problems.
Yet we must also make sure that we are clear on the context. We are
here today because of recent news reports about the use of third-party
analytics tools on healthcare.gov. Data analytics tools can be valuable
for tracking how websites are being used and optimizing the website for
the consumer. While I am on the record about my own reservations about
the Affordable Care Act, I also understand the motivation of increasing
traffic to the healthcare.gov website in an effort to get more people
signed up for health insurance.
However, we must hold the government to the highest standards for
privacy and security. This is especially true for a website like
healthcare.gov in which people enter highly private and sensitive
information. I have concerns, based on the initial news reports, that
the highest standards may not have been applied to privacy on
healthcare.gov. However, the news reports, like today's testimony,
provide more questions than answers. We must also be careful to
distinguish between privacy and security, and where the true
vulnerabilities may be for each. In short, we have a responsibility to
gather all of the facts before coming to any conclusions. But we need
those facts.
I understand, Madam Chairwoman, that you are trying to schedule a
second hearing with Administration officials who have direct knowledge
of the issues before us today. I think such a hearing, in addition to
more staff homework, will be necessary before we can draw any clear
conclusions or proposals for moving forward.
In addition, I would note that privacy is a big issue across the
internet. Data analytics tools can help improve customer experience.
But their ubiquity and integration into the workings of so many
websites means that Americans concerned about their privacy may have
little real choice when it comes to how they can manage the release of
their information. Ms. De Mooy addresses some of that in her testimony
and I look forward to a discussion on the broader issues. While we may
hold the government to a higher standard, it is incumbent upon us to
consider steps we can take to ensure that Americans are able to
safeguard their personal data across the online environment as a whole.
Finally, while this hearing will focus on online data privacy, I
think it is critical to recognize that using the internet is far from
the only way for Americans' private information to be lost. In his
testimony, Mr. Wright addresses the difficulty of anonymizing data and
the ease with which individuals can be identified through just a few
pieces of information about their day-to-day activities, such as
purchases charged to a credit card. Given this testimony, this
Committee may want to be careful about efforts to publicly disclose
study data related to the health impacts of air pollutants used in EPA
regulations.
I look forward to hearing from the experts before us today and with
that I yield back.
Chairwoman Comstock. I now recognize the Chair of the
Oversight Subcommittee, the gentleman from Georgia, Mr.
Loudermilk, for an opening statement.
Mr. Loudermilk. Thank you, Chairwoman Comstock. I
appreciate the opportunity to be here, and welcome to all of
our witnesses here today. And I am looking forward to hearing
from each of you as we gather information on this very
important issue.
Just last week, I joined many of my Republican colleagues
to vote for a full repeal of ObamaCare. This sweeping
healthcare law has punished countless Americans by doubling
some health insurance costs for the same or less coverage in
many cases by no longer being able to use the plans they were
promised to keep.
That same healthcare law created HealthCare.gov, a
federally operated health insurance exchange website to assist
Americans in signing up for healthcare coverage. As reported by
the Associated Press on January 20, 2015, dozens of companies,
including Google, Facebook, and Twitter, had embedded
connections to HealthCare.gov. Essentially, when a consumer was
applying for coverage on the website, it is possible that some
or all of those data companies were able to tell, at the very
least, when a person was on the site, their age, their income,
their ZIP code, and whether they smoked or even if they were
pregnant.
The Centers for Medicare and Medicaid Services claim that
this kind of data mining is necessary for data analytics in
order to improve user experience. If that is the case, however,
I wonder why the number of embedded connections to the website
has significantly dropped since the first news story on the
matter. Did the Administration actually know and approve all
the companies that were connected to HealthCare.gov?
One of our witnesses here today comes from the Center for
Democracy and Technology, which compiles similar analytics in-
house instead of through a slew of different companies. This
technique decreases privacy and security vulnerabilities by
giving website access to a minimum number of individuals who
are able to improve user experience without compromising user
information.
Having multiple outside connections to HealthCare.gov means
more vendors have access to the website, which only means one
thing: increased vulnerabilities. About one year ago, hackers
were able to use just one vendor, an HVAC company based in
Pennsylvania, to obtain credit and debit card information of
millions of Target customers nationwide.
Cybercriminals appear to be increasingly interested in the
personal information collected by U.S. insurers, so much so
that a recent Reuters article warned that 2015 could be ``the
Year of the Healthcare Hack.'' So far, it looks as though they
are right. Just last week, it was disclosed that a database
containing personal information for about 80 million customers
of health insurer Anthem, Incorporated, was hacked. It is
feared that this breach exposed names, birthdays, addresses,
and Social Security numbers--all information that
HealthCare.gov website requests of its customers.
As someone with a background in the IT sector, I find what
appears to be extensive tracking of Americans' personal
information extremely disconcerting and unnecessary. Americans
were first misled when their President told them ``if you like
your healthcare insurance plan, you can keep it,'' and now it
seems like they are being misled into thinking that their
personal information on HealthCare.gov is as secure as it can
be.
Considering that HealthCare.gov is one of the largest
collections of personal information ever assembled, it is
extremely important that the Administration implements best
practices to protect Americans' privacy. This Administration
ultimately has a responsibility to ensure that personal data
collected is secure, and Congressional oversight will continue
until the Administration has proved that it is doing all it can
to protect the American people.
I look forward to today's hearing where I hope to gain some
insight from our expert witnesses on the possible reasoning for
why scores of data mining companies would be embedded on
HealthCare.gov, as well as the potential consequences of them
having access to the website. The American people deserve to
know the truth and are owed some level of transparency from
this Administration as to how their information on
HealthCare.gov is being collected, used, and secured.
Madam Chair, I yield back my time.
[The prepared statement of Mr. Loudermilk follows:]
Prepared Statement of Subcommittee on Oversight
Chairman Barry Loudermilk
Thank you, Chairwoman Comstock, and welcome to all of our witnesses
here today. I am looking forward to hearing from each of you as we
gather information on this very important issue.
Just last week, I joined many of my Republican colleagues to vote
for a full repeal of Obamacare. This sweeping health care law has
punished countless Americans by doubling some health insurance costs
for the same or less coverage, or, in many cases, by no longer being
able to use the plans they were promised to keep.
That same health care law created HealthCare.gov, a federally-
operated health insurance exchange website to assist Americans in
signing up for healthcare coverage. As reported by the Associated Press
on January 20th, 2015, dozens of companies, including Google, Facebook,
and Twitter had embedded connections to HealthCare.gov. Essentially,
when a consumer was applying for coverage on the website, it is
possible that some or all of those data companies were able to tell, at
the very least, when the person was on the site, their age, their
income, their ZIP code, and whether they smoked or even if they were
pregnant.
The Centers for Medicare and Medicaid Services claims that this
kind of data mining is necessary for data analytics in order to improve
user experience. If that is the case, however, I wonder why them number
of embedded connections to the website has significantly dropped since
the first news story on this matter. Did the Administration actually
know and approve all of the companies that were connected to
HealthCare.gov?
One of our witnesses here today comes from the Center for Democracy
and Technology, which compiles similar analytics in-house instead of
through a slew of different companies. This technique decreases privacy
and security vulnerabilities by giving website access to a minimum
number of individuals who are able to improve user experience without
compromising user information.
Having multiple outside connections to HealthCare.gov means more
vendors have access to the website, which only means one thing:
increased vulnerabilities. About one year ago, hackers were able to use
just one vendor, an HVAC Company based in Pennsylvania, to obtain the
credit and debit card information of millions of Target customers
nation-wide.
Cybercriminals appear to be increasingly interested in the personal
information collected by U.S. insurers, so much so that a recent
Reuters article warned that 2015 could be ``the Year of the Healthcare
Hack.'' So far, it looks as though they are right. Just last week, it
was disclosed that a database containing personal information for about
80 million customers of health insurer Anthem, Inc. was hacked. It is
feared that this breach exposed names, birthdays, addresses, and Social
Security numbers--all information that the HealthCare.gov website
requests of its customers.
As someone with a background in the IT sector, I find what appears
to be extensive tracking of Americans' personal information extremely
disconcerting and unnecessary. Americans were first misled when their
President told then that, ``if you like your health insurance plan, you
can keep it,'' and now it seems like they are being misled into
thinking that their personal information on HealthCare.gov is as secure
as it can be.
Considering that HealthCare.gov is one of the largest collections
of personal information ever assembled, it is extremely important that
the Administration implements best practices to protect Americans'
privacy. This Administration ultimately has a responsibility to ensure
that personal data collected is secure, and Congressional oversight
will continue until the Administration has proved that it is doing all
it can to protect the American people.
I look forward to today's hearing where I hope to gain some insight
from our expert witnesses on the possible reasoning for why scores of
data mining companies would be embedded on HealthCare.gov as well as
the potential consequences of them having access to the website. The
American people deserve to know the truth and are owed some level of
transparency from this Administration as to how their information on
HealthCare.gov is being collected, used, and secured.
Chairwoman Comstock. Thank you.
I now recognize the Ranking Member of the Subcommittee on
Oversight, the gentleman from Virginia and my neighbor, Mr.
Beyer, for an opening statement.
Mr. Beyer. Thank you, Madam Chair Comstock, and Chairman
Loudermilk for holding this hearing today.
Recent news stories on the sharing of the HealthCare.gov
visitor data with third parties really does raise very
legitimate privacy concerns. According to these news reports,
which we have heard, various personal data was being provided
at multiple third-party websites and application tools embedded
in the website. No personally identifiable information was
provided to third parties but news reports also suggest that
the information was being provided to third parties without the
clear consent or any knowing consent of the visitors to the
site.
I think there are many questions that the Members on both
sides of the aisle have about HealthCare.gov implementing the
use of third-party tools. What restrictions were placed on the
use of this data by third parties? Was there even a need for
third-party tools on the website? How do these tools improve
the function of the website, users' experience? Could some of
this work have been done in-house?
Unfortunately, we are not going to be able to get
definitive answer to those questions today. I understand the
majority invited government witnesses but they deferred citing
too short notice to prepare their testimony. My understanding
is they will be coming again later with the proper set of
government witnesses to address these issues. In a perfect
world, we would have had that first but right now I guess we
have to deal with a lot of speculation and discover the
government facts later.
The use of third-party website tools on HealthCare.gov has
drawn an awful lot of public attention but I hope our
witnesses, particularly Ms. De Mooy, can help us explore the
larger privacy issues involved.
The use of third-party websites is worrisome but it is
certainly not unusual in the digital online environment. One
recent study found that the top 100 most popular websites were
being monitored by more than 1,300 firms deploying these third-
party tools. And while I believe we should definitely explore
the privacy implications of using the third-party websites,
this too is only a small part of the privacy pie.
From the moment we enter the digital domain, whether it is
turning on our cell phone, logging onto the internet, opening
up a tablet or other digital device, our data is collected,
collated, and analyzed by corporations, organizations,
government agencies, and particularly online advertising
companies. In the physical world, our identities are often
measured by details on our driver's licenses, birthday, height,
gender, weight, but in the digital world, the metrics used to
measure who we are seem to be based on observing the web pages
we visit, the purchases we make, the people we personally
socialize, the news items we read, and the movies we watch. And
I am concerned about the use of these new metrics that
constantly track and measure our personal lives online.
On the security side, we should also realize that any IT
infrastructure is constantly evolving and improving. It is
unclear if the use of third-party tools have any direct impact
yet at least on the security of HealthCare.gov but also need
this--this needs to be put in perspective. Chairman Loudermilk
mentioned Anthem's recent breach exposing the accounts of 80
million customers. That is eight times the number of people who
have signed up through--for the Affordable Care Act through
HealthCare.gov.
Since the launch of HealthCare.gov, an additional 10
million Americans have healthcare coverage, and I believe that
extending these healthcare market opportunities to 10 million
Americans is a tremendously positive event for millions of
families across the country. So we have very dark conjectures
around the security of the website which we must address, but
we also can't--must keep all of this in perspective about the
millions of families who have been helped.
I hope this hearing helps us explore these broad privacy
issues and I look forward to hearing from our witnesses. I
yield back, Mr. Chair--Madam Chair.
[The prepared statement of Mr. Beyer follows:]
Prepared Statement of Subcommittee on Oversight
Ranking Minority Member Don S. Beyer
Thank you Madam Chair Comstock and Chairman Loudermilk for
holding this hearing today.
Recent news stories on the sharing of Healthcare.gov
visitor data with third parties raise legitimate privacy
concerns. According to these news reports data including an
individual's income, zip code and pregnancy status were being
provided to multiple Third-Party Websites and Applications
(TPWAs) tools embedded on the website. According to these
stories, no personally identifiable information, known as PII,
was provided to third parties. However, news reports also
suggest that the information was being provided to third
parties without the clear consent of visitors to the site.
There are many questions I think Members on both sides of
the aisle have about how Healthcare.gov implemented the use of
third party tools on the website. What restrictions were placed
on the use of this data by third parties? Why was there a need
for multiple third party tools on the website? How did these
tools help improve the function of the website and the user's
experience? Could some of this work have been done in-house?
Unfortunately we will not be able to get definitive answers
on any of these questions today. Today's hearing will be
largely speculative in nature since we don't have any
government witnesses to explain these issues. I understand the
Majority originally invited government witnesses, but provided
them with short notice to prepare their testimony. My
understanding is we may have a follow-up hearing with the
proper set of witnesses to address these issues later this
month. In a perfect world, we would have had that hearing
first. Instead, I fear we will start with lots of speculation
and will then try to uncover the facts at a later date.
The use of third party website tools on Healthcare.gov has
drawn the public's attention to this issue, but I hope our
witnesses, particularly Ms. De Mooy, can help us explore the
larger privacy issues regarding the use of these and other
tools to monitor online activities and their impact on our
individual privacy. The use of third party websites is
worrisome, but not unusual in the digital online environment.
One recent study, for instance, found that the top 100 most
popular websites were being monitored by more than 1,300 firms
deploying these third party tools. And while I believe we
should explore the privacy implications of using third party
websites this is simply a small slice of the privacy pie. From
the moment we enter the digital domain, whether it is turning
on our cell phone, logging onto the Internet or opening up a
tablet or other digital device our data is collected, collated
and analyzed by corporations, organizations, government
agencies and online advertising companies.
In the physical world our identities are often measured by
the details on our driver's licenses: our birth date, our
height, our weight and gender. But in the digital world the
metrics used to measure who we are seem to be based on
observing the web pages we visit, the purchases we make, the
people we ``virtually'' socialize with, the news items we read
and the movies we watch. I am concerned about the use of these
new metrics that constantly track and measure our personal
lives online.
On the security side, we must realize that any IT
infrastructure is constantly evolving and improving. It is
unclear if the use of third party tools had any direct impact
on the security of Healthcare.gov, but I also believe this
issue needs to be put in perspective. Just last week, reports
surfaced that Anthem, Inc., one of the country's largest health
care providers, announced that they had a data breach exposing
the accounts of 80 million customers. That breach compromised
PII that included customer social security numbers and e-mail
addresses. The size of that breach is eight times the total
number of people who have signed up for the Affordable Care Act
through Healthcare.gov.
Since the launch of Healthcare.gov an additional 10 million
Americans now have healthcare coverage. I believe that
extending market opportunities to 10 million Americans to get
health insurance represents a tremendously positive event for
millions of families across this country. Despite the dark
conjectures about security of the website, they have not
suffered any significant loss of personally identifiable
information or major security breach to date.
Privacy protections must be addressed and improved
throughout the internet, and that includes on Healthcare.gov. I
hope this hearing helps us explore these broad privacy issues
and I look forward to hearing from our witnesses.
With that I yield.
Chairwoman Comstock. Thank you.
And if there are Members who wish to submit additional
opening statements, your statements will be added to the record
at this point.
Chairwoman Comstock. Okay. At this time I would like to
introduce our witnesses. Our first witness is Ms. Michelle De
Mooy, Deputy Director of the Consumer Privacy Projects at the
Center for Democracy and Technology, or CDT. Prior to CDT, Ms.
De Mooy was Senior Associate for National Priorities at
Consumer Action, a national nonprofit focused on empowering
underserved and disadvantaged consumers. Ms. De Mooy earned her
bachelor of arts degree in government from Lehigh University.
Our second witness today is Mr. Morgan Wright, Principal
from Morgan Wright, LLC, where he provides advisory and
consulting services in cybersecurity and identity theft. Mr.
Wright has provided in-service training to the FBI Computer
Analysis Response Team, served as Global Industry Solutions
Manager for Public Safety and Homeland Security as Cisco, and
as Vice President of Global Public Safety at Alcatel-Lucent.
Mr. Wright received his bachelor of science from Fort Hays
State University and an Executive Certificate in Leadership and
Management from the University of Notre Dame. Perhaps most
important of all, Mr. Wright is a resident of the 10th District
of Virginia, but I didn't know you were coming today until they
reached out. But I am pleased to welcome you today to the
hearing.
So pursuant to Committee's rules, all witnesses must be
sworn in before they testify so I guess we all stand up. And
please rise and raise your right hand.
Do you solemnly swear or affirm that the testimony that you
are about to give will be the truth, the whole truth, and
nothing but the truth so help you God?
Let the record reflect that the witnesses answered in the
affirmative.
Thank you. You can be seated.
Okay. And now we will have our five-minute statements from
the witnesses. And your entire statement, if it is longer, will
be entered into the record also.
I now recognize Ms. De Mooy for five minutes to present her
testimony.
TESTIMONY OF MS. MICHELLE DE MOOY,
DEPUTY DIRECTOR, CONSUMER PRIVACY,
CENTER FOR DEMOCRACY AND TECHNOLOGY
Ms. De Mooy. Chairwoman Comstock, Chairman Loudermilk,
Ranking Member Lipinski, Ranking Member Beyer, and Members of
the Committee, thank you for the opportunity to come here today
and testify on behalf of the Center for Democracy and
Technology.
CDT is a nonpartisan, nonprofit technology policy advocacy
organization dedicated to protecting civil liberties and human
rights on the internet, including privacy, free expression, and
access to information. I currently serve as the Deputy Director
of CDT's Consumer Privacy Project.
We welcome the attention the Committee has given to be
pressing issues of consumer data privacy and security through
the lens of data sharing on HealthCare.gov. I will review first
the data-sharing practices on HealthCare.gov, discuss the
privacy and security concerns that these bring up, and make
five concrete recommendations for the government to address
these concerns.
Several weeks ago, the security firm Catchpoint Systems
found that user information was being shared with over 50
entities on HealthCare.gov without user knowledge or
permission. When citizens visit HealthCare.gov to learn more
about the programs offered to them under the Affordable Care
Act, they are asked to give certain pieces of personal
information order to show which health insurance plans they
qualify for. After submitting this information, HealthCare.gov
then surprisingly sent a referral URL to an array of third
parties that included some of this information that the
consumers had submitted to the site, including parental status,
ZIP code, and annual income. This information is used both by
websites themselves and third parties for website analytics, as
well as for advertising and marketing purposes, also known as
retargeting.
For HealthCare.gov administration officials have said that
the refer URL was directed to third parties in order to give
consumers a simpler, more streamlined, and intuitive
experience, and this is doubtless true. However, the
government's decision to work with outside vendors allowed
private companies to access user information without their
knowledge or consent. It is not clear if HealthCare.gov used
tracking technologies for retargeting purposes but it appears
likely to have played a role.
The use of retargeting in order to increase awareness of
and enrollment in available health insurance plans would have
been an understandable goal for the government. It is not,
however, a free pass for the government to share user
information and characteristics with an array of third-party
commercial entities, without permission.
Sharing of personal information with third parties is a
privacy concern for several reasons. People who visit
government websites often do not have a choice. They must visit
a designated online place in order to access specific
government products and services. Personal data is valuable.
When personal information is collected and shared, it is often
combined with other data to build individual profiles. This
profile is used to target products and services to you and is
increasingly also used to create consumer scores that function
similarly to credit scores. Health information in particular is
sold for a high premium on underground markets, some experts
estimate up to $40 to $50 a record, because it is fairly easy
to monetize for criminals seeking to bill expensive medical
items to Medicaid, for example, or to commit medical identity
theft. The theft or use of health information is much harder to
recognize and stop than the theft of financial data and more
difficult for victims to seek redress.
The number of third-party content providers loading code
into the browsers of visitors on HealthCare.gov poses serious
security issues. Researchers have pointed to third-party
content as one of the primary ways for websites to be infected
with malware. Hackers wishing to compromise the integrity of
third-party content providers can accomplish a wide range of
attacks from simply changing the content of the page to
capturing user information and credentials like passwords.
There is no evidence that personal information from
HealthCare.gov has been misused but the number of outside
parties that can load content and that can see personal
information about users is troubling.
Overall, the privacy and security missteps taken by
HealthCare.gov were avoidable. We recommend that the government
immediately take the following steps: 1) follow sensible
guidance available to them and to Office of Management and
Budget documents on third-party sharing; 2) implement the six
recommendations to protect user privacy and security on
HealthCare.gov made in a 2014 report by the Government
Accountability Office; 3) strengthen HealthCare.gov's privacy
policy limiting third-party sharing only to which it needs to
function; 4) implement in-house analytic software that does not
report user data back to the software maker; 5) honor the
wishes of consumers that express a preference in their browsers
not to be tracked.
Ultimately, Congress can best protect consumer information
by strengthening legal incentives for companies to better
safeguard data and by enacting comprehensive data privacy
legislation to give users more control over how their
information is collected and used.
Thank you.
[The prepared statement of Ms. De Mooy follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chairwoman Comstock. Thank you.
I now recognize Mr. Wright for five minutes.
TESTIMONY OF MR. MORGAN WRIGHT,
PRINCIPAL, MORGAN WRIGHT, LLC
Mr. Wright. And it is a pleasure to be in the 10th
District. Thank you.
Chairwoman Comstock, Chairman Loudermilk, Ranking Member
Lipinski, and Ranking Member Beyer, and Members of the
Committee, thank you for inviting me again to testify.
I am Morgan Wright. I am a Principal of Morgan Wright, LLC.
I provide advisory and consulting services to the private
sector in the area of cybersecurity, advanced technology
introduction, strategic planning, and identity theft solutions.
In addition, I am currently a Senior Fellow for the Center for
Digital Government. The Center is an advisory institute on
information technology policies and best practices in state and
local government.
Now, I had the honor of testifying before the Committee on
November 18, 2013, concerning the security of HealthCare.gov at
that time. Since that time, there has been progress made in
addressing security and privacy concerns, but yet I find myself
repeating many of the same observations today that I made
nearly 15 months ago.
I was posed three questions from the Committee. As to the
first question, in the healthcare field, there is an approach
they call minimum effective dose, which is the lowest dose
level that you need to get a significant response. If we apply
that to third-party applications on the site, it is apparent to
see that out of the 50 previously reported compared to the 11 I
observed this morning when I checked the site again, that was
an overdose not needed as evidenced by the action of removing
39 of them since discovery. In comparison, Whitehouse.gov and
IRS.gov have only four and two third-party applications running
respectively. There is no doubt some level of measurement is
needed but 50 is digital overkill.
Numerous questions need to be answered by CMS. Are there
any written agreements governing the collection and use of PII?
How long has each third party been active on the site? How is
the use of data governed and audited? Were consumers ever
notified that their PII was being shared with third parties?
And these are just a few of the questions.
As to the second question, the security of the site has
been a primary point of weakness since before the launch on
October 1, 2013. In my previous testimony, I highlighted
several major issues prior to and after launch. Among them was
the lack of and an ability to conduct an end-to-end security
test on the production system. The fact that numerous security
flaws, flaws that are the most basic type, are left to be
discovered by outside third parties, makes it appear
HealthCare.gov is crowdsourcing the security and privacy of
this important site.
In September of 2014 the GAO issued a report on the site.
The highlights state in part that weaknesses remain in both the
processes used for managing information security and privacy,
as well as the technical implementation of IT security
controls. Just some of the key findings: one of the key
findings, CMS has not fully implemented security and privacy
management controls. It stated that it did not fully implement
actions required by NIST before collecting and maintaining PII.
Another finding: CMS did not document key controls in
system security plans. The findings said without complete
system security plans, it will be difficult to make a fully
informed judgment regarding the risk. Look, if an authorized
security decision-maker cannot be fully informed to understand
the current risk, it is inconceivable to think that sufficient
information exists today to enable 50 third-party applications
to operate on HealthCare.gov and to fully understand the
associated risk.
Another finding: CMS did not conduct complete security
testing. This is an echo of my previous testimony.
And one of the final ones: control weaknesses continue to
threaten information and systems supporting HealthCare.gov. And
in the finding it said CMS--and this is the troubling one--CMS
did not restrict systems supporting the federally facilitated
marketplace, FFM, from accessing the internet allowing these
systems to access the internet may allow for unauthorized users
to access data from the FFM network, increasing the risk that
an attacker with access to the FFM could send data to an
outside system or that malware could communicate with the
command-and-control server.
The unmanaged access to outside connectivity is very
disconcerting. The documented activities of Unit 6139A of the
Chinese People's Liberation Army and the indictment of five of
their members relied upon this exact recipe for their
activities. The introduction of third-party applications
combined with lack of security, oversight, and control raises
the specter of current and undetected state-sponsored
penetration of HealthCare.gov. Significant data breaches have
been accomplished against far more secure systems.
And as to question three, as NIST continues its leadership
role, it has spearheaded the development of the framework for
improving critical infrastructure cybersecurity. A review of
the framework provides valuable approaches for CMS to utilize
in securing the site. The aspect of privacy is so fundamental
that it was referred to 30 times in the document. One of the
foundational documents is their Special Publication for
Information Systems and a key section of the document is
Appendix J, Privacy Control. It is a relatively new section but
I believe that there is one control under there, AR-3, privacy
requirements for contractors and service providers would be
applicable in this case to the use of third-party applications
and, if followed, would have allowed--would not have allowed
for the proliferation of unmanaged data collection.
So thank you for your time and I look forward to your
questions.
[The prepared statement of Mr. Wright follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chairwoman Comstock. Thank you very much. I thank the
witnesses for their testimony and insights.
And now we are going to do questioning for five-minute
rounds. And I will recognize myself for five minutes.
Now, given that we first learned about these I guess about
three weeks ago. If we were--and this is to both of you--if
HealthCare.gov were employing a lot of the management tools
that you have outlined here for us, would CMS be able to fairly
simply tell us what was going on? Is it something that should
take a long time for them to tell what their system does and
whether it is safe or not? Because I think from the consumers'
standpoint, I think we would like to know pretty quickly what
is going on one way or the other in case it needs to be
remedied, like you said in the case of if 50 is too many, what
is okay or what is--shouldn't they know how many are there? So
I am just trying to get a sense of what should they be doing so
that they can tell us something fairly basic like this pretty
quickly.
Mr. Wright. You bring up--and I appreciate the question.
You bring up from my prior testimony, I think one of the
fundamental things that has to be done is a complete end-to-end
security test of the production system. It is referenced again
in the GAO report and Ranking Member Lipinski, even to your
comments, there has been a lot of significant progress made.
They do need to do marketing but we all want that marketing to
be safe. You know, HealthCare.gov isn't about R's and D's. It
is about ones and zeros. It has no allegiance to a party. It
does what it is told and my concern is that the ones and zeros
are not being told to do the right things to protect not only
the privacy but the security. You can't have total visibility
of a system until you understand end-to-end. And the government
would not allow a car to be sold on the open market unless it
went through a complete crash test. You cannot test individual
components of a car and say it is safe; it has to go through
the entire gambit. And HealthCare.gov should do the same.
Ms. De Mooy. Yes, thank you for the question. I think from
a consumer perspective the way that people would have found out
about this was through the privacy policy, and we found a lot
of problems with the HealthCare.gov privacy policy. For
example, it is very broad and very vague. They don't define
personally identifiable information and there are guidelines in
NIST for defining this, but the impetus is on the privacy
policy to sort of define it for itself so that there aren't any
loopholes in which data can fall through. So that would have
been very helpful. That would have been a form of transparency
that would have allowed people to understand a little bit more.
Also, the privacy policy kind of deferred to the privacy
policies of the third parties. So it was--the onus was on the
consumers or the visitors of the site to find out the policies
then of the third parties, which is a little disingenuous
considering that many of people had no idea that these third
parties were there in the first place.
Chairwoman Comstock. You know, if one of the reasons why
they are doing this is they are trying to reach more people to
say hey, you might be eligible, you know, whatever you are
doing, aren't there other much safer ways to do that? Like,
say, you know, if we know a particular ZIP code has a high
density of uninsured people, you can--I mean would it expose
anyone's privacy if you were maybe advertising online to
somebody in their ZIP code or, you know, you were doing
outreach efforts that are targeted to targeted populations? Is
there a way--what is the best--you know, sort of best practices
on doing that in a way that secures people's privacy?
Ms. De Mooy. Sure. Yes, Chairwoman, I think that the way
that you put it is exactly right, that there are ways to limit
it to certain data points so that you are not getting
unnecessary data in order to do things like retargeting. And
yes, there are very good reasons why the government, to fulfill
its mandate, would need to do outreach to try to get more
enrollment, to try to get people aware of these programs.
That said, I think the way that my fellow witness here put
it, it was overkill. There was no need for the leakage that
occurred. And I think some of this is governed by the contracts
that existed between the government and the vendors that they
used, and I think it would be very helpful for when the
government witnesses are here to find out exactly what the
terms of those contracts were in terms of data sharing.
Mr. Wright. Just a quick follow-up, too. You know, I am not
the marketing expert, but however, I do know is that a great
marketing product or software implemented poorly is still a
poorly designed product. And the concern is is that even though
as these things collected data and information, there is a huge
issue with the collection of data by several--there are about
52 major data brokers that, if you want to find out what
somebody is doing online, their address, we saw this in
Ferguson, we saw this with ISIS and the compromise of the
CENTCOM site. They are using personally identifiable
information to target people.
Ask Colonel Replogle of Missouri Highway Patrol. His
information was released by Anonymous and he was specifically
targeted. So these things--these programs have consequences if
not managed correctly.
Chairwoman Comstock. Thank you very much.
And I now recognize Mr. Lipinski.
Mr. Lipinski. Thank you, Madam Chairwoman.
I just want to make sure we try to take a couple steps back
here because there is a lot we don't know unfortunately. And I
do look forward to asking questions of the--of the CMS.
But just so I have a better understanding, I think we
discussed the use of third-party analytics tools is common in
both private and governmental websites. What usually is done on
a private website when they are using a third-party data
analytic--how is it--how is privacy--and again, we have to talk
about what the standards are going to be, but what is usually
done? When I go to a website, how often are there third parties
looking at the data and what happens with that and how do I
know that there are third parties? What is going on with that
and am I--is there any way that I am protected if I am going to
a private website?
Ms. De Mooy. Thank you for the question. It is a great
question and is sort of begins at the layers of communication
that occur when you go onto the web. Some of them are behind
the scenes and some of them are more apparent. It is rampant on
the web certainly with commercial websites but even, you know,
all sorts of entities. Data sharing is absolutely aggressive.
So in terms of protections, there are very few. There are
settings that you can place on browsers that restrict or at
least broadcast the fact that you would not like to be tracked,
but those are sort of on the honor system right now, which
makes it difficult to enforce.
But just to get back to your technical question, when you
are online and say, for example, you click on a link or you go
to a website, it will trigger a message from your browser to
the intended website's server and that sort of announces your
arrival to them and it will share basic information about you
like your IP address, which I think most people know but it is
sort of like your telephone number is your address on the
telephone network. Your IP address is your address on the
internet. And the information exchanged usually during this
point is just utilitarian, sort of what does your browser
support so that the website will load correctly?
When a website wants to customize this and wants to sort of
remember who you are and remember certain places that you may
have gone, things you are interested in, which is how we put
customization, they may enact third parties and that may
involve dropping a cookie, which is sort of a little recorder
is the way I like to think of it, onto your computer and that
will observe where you have been and it will also observe where
you are going to, so different websites the you are surfing to.
And if the site wants to do marketing and advertising, they
will employ third parties and they will have different
contracts. And this can be up into the hundreds and thousands
for some sites.
Mr. Lipinski. And why would there be so many?
Ms. De Mooy. Well, it is a lucrative business and data
miners and advertising networks work in real time, and so the
time that you are online may feel slow to you but to the
advertising networks, they are grabbing millions and trillions
of data points every single second. And so that is monetized
then into serving advertisements. So the more, the merrier.
Mr. Lipinski. Okay. Because is there any--the question is
for the--for HealthCare.gov is why were there so many--however
many it is--and we are still not exactly sure how many--why
would there be a dozen, two dozen, three dozen----
Ms. De Mooy. Um-hum.
Mr. Lipinski. --and why would HealthCare.gov--why would
they use that many?
Ms. De Mooy. To me that is inexplicable to be quite honest.
I can tell you that the rationale would probably include web
customization, so wanting, as they said, to make the site more
streamlined, more intuitive for people so that it is easier to
find access to the information they are looking for. In other
words, if a consumer comes to a website and they really just
want to see the plan rates, but the website will serve that to
them the next time and it sort of remembers that.
The act of having--especially for a government website--
that many entities in order to do something like retargeting to
me is inexplicable. I think it is an example--and this is just
speculation--is an example of when you have multiple different
contractors working on a project, this was sort of the easiest
and kind of laziest way to design the site, to do--there are
ways to do it in-house and there are ways to do it in a more
privacy-protective manner, but that was not done here.
Mr. Lipinski. Okay. There are ways to do that in-house, you
said----
Ms. De Mooy. Yes.
Mr. Lipinski. --and your testimony you had talked about
that. I think I am going to--my time is almost up. I want to
make sure everyone else has questions.
If we have time for a second round, I will have more, but I
yield back.
Chairwoman Comstock. Thank you.
I now recognize Mr. Johnson five minutes.
Mr. Johnson. Thank you, Madam Chairman. And thank you to
the panelists for being here today.
I can tell you that as a 30-plus year IT professional both
in the Department of Defense and in the private sector I remain
very, very concerned about the inadequacy of security and the
safeguarding of consumers', hard-working taxpayers' personal
private information.
Ms. De Mooy, in May of 2013 the President issued that
Executive Order to establish an open data policy to make open
and machine-readable data the new default for government
information taking really historic steps to make government-
held data more accessible to the public and to entrepreneurs
while appropriately safeguarding sensitive information and
rigorously protecting privacy, or so it is stated.
Let's go back for a second so that I can get this straight.
Is it mandated in your opinion--it has been mandated by the
government that Americans need to sign up for healthcare and
that, for the most part, they will do so on the government-
created website HealthCare.gov, correct?
Ms. De Mooy. That is correct----
Mr. Johnson. Okay.
Ms. De Mooy. --as far as I know.
Mr. Johnson. Now, once they are on HealthCare.gov, they
have to give their personal information in order to sign up for
their healthcare, correct?
Ms. De Mooy. That is correct, sir.
Mr. Johnson. Okay. And with what we are learning today, the
government is then helping companies through this Open Data
Initiative to collect all of that personal information of the
American people--on the American people, correct?
Ms. De Mooy. I am not quite sure what the question was.
Mr. Johnson. What we have learned from the President's
Executive Order and all of this open data transformation that
he has done, we are learning that the government is helping
these outside companies through their data mining efforts,
through this Open Data Initiative to collect all of that
personal information on the American people, correct?
Ms. De Mooy. My understanding of the Open Data Initiative
is a bit different. It is more about actionable data that can
be used to help the public or for the public. It is more about
transparency. And in this case, transparency would have been
very helpful. I think that the fact that people have no choice
when they come is a serious problem that should have held the
government to a higher standard in terms of protecting their
privacy and security.
Mr. Johnson. Well, again going back in my experience and
something that Mr. Wright said a little earlier, you know, this
is not rocket science. It is ones and zeros. And if they are
allowing this Open Data Initiative to collect some information
that is out there, I mean we have seen how many different
commercial and government systems have been hacked by the bad
guys already----
Ms. De Mooy. Um-hum.
Mr. Johnson. --and with the security concerns that we have
got about HealthCare.gov already, do you believe that the
Administration is yearning for greater openness to make
government-held data more accessible? Do you believe that has,
whether intentionally or unintentionally, potentially
compromised American citizens' privacy on HealthCare.gov?
Ms. De Mooy. In my opinion, no. I think the government--I
can't speak for what the intentions were. I don't have any
direct knowledge of that, but I can say that my understanding
of the Open Data Initiative was about giving citizens more
opportunities for actionable data, more transparency in the
government, and I think in this case it had more to do with the
function of the site, which was to reach as many people as
possible, to, you know, do some advertising and marketing to
get to the populations that would be interested in this. And I
think they went far beyond what was necessary and far beyond
what their own government has suggested and prescribed.
Mr. Johnson. I am running out of time.
Mr. Wright, same question to you. Do you think that
allowing this Open Data Initiative, have we potentially
compromised American citizens' privacy on HealthCare.gov given
what we already know about the security inadequacies of the
system?
Mr. Wright. My opinion would be yes because it is a--
because now what you are mandating is a philosophy and a
direction to say everything will be shared except for maybe
some certain things. So people may be interpreting what the
intent of the Executive Order was and they are attempting to do
things, but without clear guidance, without clear structure,
without clear privacy and security, you then get the law of
unintended consequences, which is the information is used
improperly and collected improperly and collected in an
unabated fashion.
Mr. Johnson. I tend to agree with you, Mr. Wright. I
respect your opinion, Ms. De Mooy, but as someone who has had
to provide security to systems--in systems, I personally think
we have opened the proverbial barn door and the cows are going
to get out. And with that, I--my time is expired.
Ms. De Mooy. I am sorry. I just had one additional comment
to make, sir.
Just--I think The Open Data Initiative should be coupled
with the understanding that trust is necessary. The people
needed to have trust in the systems and particularly when it
comes to healthcare Americans shouldn't have to choose between
privacy and health.
Mr. Johnson. Oh, my goodness, Madam Chair, you are exactly
right. The people should be able to trust, but the
Administration has demonstrated clearly that it is not a
trustworthy system.
Ms. De Mooy. Right, and perhaps proverbial--
Mr. Johnson. Security was never designed into the system in
the first place.
Chairwoman Comstock. Thank you.
I now recognize Mr. Beyer for five minutes.
Mr. Beyer. Thank you, Madam Chair.
Mr. Wright, I just wanted to clarify one thing. You suggest
in your testimony that personally identifiable information was
released from HealthCare.gov and it is true that information
was released to third parties--we have heard about this, the 50
people--50 agencies, and there certainly are legitimate
privacy-related questions, but from everything I know there is
no PII data that was actually released and certainly no medical
records.
Unfortunately, we have seen many, many other instances of
PII data released on a frequent basis. Last year, eBay revealed
that hackers had stolen the personal records of 233 million
users, including usernames, passwords, phone numbers, and
physical addresses. Anthem, we talked about, with the 80
million. My wife seems to get a new credit card every 90 days
because the bank sends her a note saying the credit card has
been compromised. And these are all unfortunate circumstances
but they point to larger issues, security and privacy, but I
don't think they point to specific PII data from
HealthCare.gov. Your comments?
Mr. Wright. No, correct. And it is not the implication that
people's complete PII was released, but when you take pieces of
information such as your age, your income, whether you are
pregnant or not or you smoke, the whole point about the ability
to correlate from large amounts of data sets, your visit at
HealthCare.gov combined with information from other data
brokers or other things that you have done has now created the
opportunity, and actually the end result then is the disclosure
because you provided the key components that link behavior on
one side or behavior on the internet now to very specific
information about you.
The Chair, when she released her statement, is one of the
things in my written testimony about MIT. We have now gotten to
the point on the internet to where there is so much data
floating out there it takes very small steps to be able to
create a profile on user to understand where you live, what you
do, what your interests are. Marketers use it all the time but
the issue--the difference between the public sector and the
private sector is if my information gets exposed from eBay,
there will be 1,000 attorneys filing class-action lawsuits.
Unfortunately, with the immunity of the federal government,
citizens don't have the same recourse. So to your point, that
higher standard needs to be there. So because I don't have that
recourse I should then have the higher standard to not have to
worry about that.
But in total agreement, no specific PII was released, but
the combination of factors and bringing it all together, it is
the totality of the circumstances, not an individual action.
Mr. Beyer. Okay. Thank you very much.
Ms. De Mooy, is there any reason not to prohibit third-
party vendors and can the website even be evolved to work
without outside vendors, in-house data analytics? And I wonder,
too, this is very speculative, but we know how tortured the
rollout of HealthCare.gov was. How much of this do you think
was the crashing and burning of CGI and the replacing with
Accenture and all the firms trying to put Humpty Dumpty back
together again?
Ms. De Mooy. Well, I appreciate that analogy. I don't have
any knowledge about the mechanisms that went on. I can
speculate that when you hire a lot of outside vendors to work
on one project, that the communications can fall apart. And I
think in this case, when I look at the site design, it feels to
me a bit lazy. And like I said before, the easiest thing is to
just allow rampant sharing. It is a little more technical and
in fact more well-designed to limit that sharing.
Yes, the government could do some of the analytics,
definitely the analytics in-house. They could create sharing
buttons. They could have, you know, really ironclad privacy
policy that includes privacy policies for their third parties
as opposed to sort of adopting the policies of their third
parties.
Mr. Beyer. You had mentioned that we need comprehensive
data privacy legislation.
Ms. De Mooy. Correct.
Mr. Beyer. Is there such model legislation out there?
Ms. De Mooy. We are waiting on the White House. They had
said that they would release it 45 days after the President's
State of the Union address.
Mr. Beyer. Okay. Great. Thank you.
I yield back, Madam Chair.
Mr. Wright. Could I actually add just one comment? Is that
okay?
To your point, though, actually I think one of the things
that would help is really not a technical issue. Back in my day
doing work inside the justice, the intelligence community, the
one thing that always had to be there was that executive
sponsorship, that single point of contact who is what--we used
to call it the single throat to choke. I think something that
would vastly help and I think the implementation of Accenture
over CGI, bringing in people who actually have the ability to
do that leadership and create that single point of leadership.
I think that is one of the biggest failures is there was no
single prime in charge of the entire project. We had a lot of
stovepipes, which we know from information sharing caused
problems. I think the biggest thing they could do is really get
down to that single point of contact, who is the true leader
that I can go to, push their belly button, and solve all of my
problems?
Mr. Beyer. Thank you very much.
Chairwoman Comstock. Good. I now recognize Mr. Posey for
five minutes.
Mr. Posey. Thank you, Madam Chairman.
I understand the purpose of retargeting. When I look at a
barbecue or a bathroom vanity or a power tool on a hardware
store website, I understand, but it doesn't necessarily make me
comfortable that the same product pops up on the next website
that I visit. And, you know, I understand the idea that
companies want to be able to target me in a similar way, but I
don't understand why HealthCare.gov would feel the need to have
such similar tactics incorporated as to hardware store or
Zappos or whatever. I mean it seems like a larger invasion of
privacy. It seems like a larger invasion of privacy to me. Just
wondering what your thoughts are, both of you?
Ms. De Mooy. Thank you for the question. I think the reason
that I would imagine that the government would give for doing
retargeting, which, as I said before, it isn't certain--it
appears to be likely but it is uncertain--the reason they would
have done that would be to find the people who needed the
information, so to reach into communities where people who
don't have health insurance live, go to the sites, and the way
that they would learn this is by, you know, sharing the
information and learning where people come from to where they
first learned about it and link to the site and go and making
sure that they are advertising at that site.
One of the problems with that in terms of--from a privacy
advocacy perspective is that when you reach into communities
such as those that don't have health insurance, you are often
reaching into communities that are disadvantaged, and there
have been studies and surveys that show that people who are
disadvantaged tend to suffer more privacy harms in terms of
being labeled. I know the Senate Commerce Committee report came
out that identified some of these labels has ``urban and barely
making it,'' ``second city ethnic,'' things that are insulting
to say the least but also can actually accelerate the cycle of
poverty by sending things like predatory loans and different
sorts of interest rates.
Mr. Wright. I am with you. I confuse privacy and property
all the time. I think I buy too much online sometimes.
My aspect on it though is not from a marketing standpoint,
but any time--if you take a penny and you double it, you know,
every day for 31 days, you end up with $10,700,000. Every time
you add another component, every time you add more things that
have to be done, every time you add another third-party
application, you just don't arithmetically increase the attack
vectors; you geometrically increase all the things you have to
defend against.
That is why in my opening statement I talked about, you
know, physician, heal thyself. Use a minimally effective dose.
Use only the things you need to use to accomplish the mission
you need to accomplish. It should be a well-defined business
case that has security and privacy impacts understood before
you do it, and then when you get things like retargeting and
stuff, then you have very limited scope specifically addressed.
But to my--from my perspective, you limit the vulnerabilities
then to the site and the amount of things that can be exploited
because one program of itself may be secure, but combined with
another one and a third one could create a host of unintended
vulnerabilities you are not aware of because you have never
tested that combination of programs before.
Mr. Posey. Thank you. And good answers.
Is there a requirement or standard or practice for private
companies to inform visitors about third-party analytics?
Ms. De Mooy. Yes, sir. Generally, this is done through a
privacy policy, which I would imagine most of us in here don't
read. I know that I have been guilty of that. They are very
lengthy usually in sort of a legalese that is difficult for
most people to wade through. So we almost always agree if it is
something that preempts joining a service or a site.
The government in this case should be held to a higher
standard than that in my opinion not just because the
government should be the steward of privacy and security but
also because, as I said, people don't have a choice. They need
to go to this website and they should have been given a choice
about whether to share their data.
Mr. Posey. Mr. Wright?
Mr. Wright. And actually just one point, I mean do you know
how many companies would pay big dollars to guarantee 10
million visitors to their site? I mean it is--there is a--that
is, you are right, big money, and there is no choice for them
to go to that. And so to that point it does need to be a higher
standard because they don't have a choice. Consumers have a
choice of going to private websites. They also have the choice
of litigation. So with Anthem, with eBay, with all the other
ones, there will be litigation over this but is very difficult
to sue the federal government.
Mr. Posey. Very good.
Thank you, Madam Chair. I yield back.
Chairwoman Comstock. Thank you.
I now recognize Ms. Bonamici for five minutes.
Ms. Bonamici. Thank you very much, Chair Comstock and
Ranking Member Lipinski.
This has been a very interesting discussion, and I have to
say that it really highlights the issues of--two issues of
importance: access to healthcare and protection of personal
privacy. I spent part of this morning in a hearing in the
Education Committee about privacy regarding student records,
and I said then and will say again that whenever we are talking
about legislating in the area of technology, it is always a
challenge to find the right balance because, as we all know,
the technology advances usually a lot quicker than the
legislation so we want to make sure that we are finding the
balance that protects people's privacy but does not inhibit
valid, useful purposes for technology and advances in
technology.
So I really do look forward to hearing from CMS and hearing
their answers. I know we have had some hearings on this issue
before but highlighting from them. As Ranking Member Beyer
said, it would have been best to have them answer questions
first and then we could follow up on what they said.
But, you know, I want to say that we all acknowledge that
there are legitimate problems with HealthCare.gov. Certainly in
my State of Oregon we did not do a good job at all with that.
But it is also important to remember that the Affordable Care
Act is about more than a website; it is about access to
healthcare for millions of Americans.
I want to make sure that we don't, in this hearing and
other hearings in the future, spread any sort of unfounded fear
or misinformation when really our constituents are looking for
clarity. So I hope we can help inform them about ways that they
can protect their privacy online and specifically keep their
personal information safe.
And I want to ask you, Ms. De Mooy, and follow up on the
conversation you were having with Mr. Posey, that you say in
your testimony that consumers from disadvantaged communities
face more potential harm such as being profiled in databanks.
So given the importance of the Affordable Care Act to
disadvantaged communities that have historically lacked access
to affordable healthcare, how can HealthCare.gov do a better
job of serving those consumers while also protecting their
privacy?
Ms. De Mooy. Thank you so much for the question.
The government needs to implement the recommendations that
I outlined my testimony that include guidance from OMB that
really lays out exactly how a government should interact with
third parties. It is very privacy-protective. It is also
practical in terms of using sharing technologies, using web
analytics technologies.
And also my fellow witness brought up and I should mention
the GAO report in 2014, which appears to have been ignored. I
am not sure exactly if that is the truth, and it would be
really good to hear from the Administration on the progress,
but those are also excellent privacy and security guidances
that the report gave. So I would say that that would be a good
start. And it is actually--as opposed to a data breach, it is
something the government can do right now.
Ms. Bonamici. Right. And I look forward to following up on
that when the Administration is here.
So we talked a lot about the personally identifiable
information, or the PII, and I am just intrigued by this whole
discussion because, you know, we--Mr. Posey was talking about
Zappos and shopping online and how he gets those ads, and not
to minimize the issue, but say, for example, someone is
searching for a cure for morning sickness or newborn clothes,
might someone figure out that perhaps they were pregnant? Or
what if they shopped for some sort of product to quit smoking?
My point is that there are a lot of ways that I guess these
third party companies can figure out those personal--personally
identifiable issues.
So just to confirm, has any personally identifiable
information been gathered through HealthCare.gov--been used
improperly?
Mr. Wright. You bring up a very good question. By the way,
sorry about the Ducks. They beat Florida State, Notre Dame----
Ms. Bonamici. Oh, I was----
Mr. Wright. --so I am with you on that.
Ms. Bonamici. Sorry you reminded me about that, though. I
am still recovering.
Mr. Wright. Yeah. The issue is--and I go back to it--it is
the GAO report. It is what I said November 18, 2013. They have
never done an end-to-end security test, so until you do, you do
not know that PII has never been exposed. All you can say is as
far as we know, which back in my days as a detective always got
me in trouble with the defense attorneys, as far as I know, so
you don't know everything, you just know that.
Ms. Bonamici. Yeah, and I understand that they did an end-
to-end security review in December and they are currently
reviewing that, so we will make sure that we ask about that
when----
Mr. Wright. Well, actually it was a review of controls as
opposed to an end-to-end full system security test of the
production system.
Ms. Bonamici. Thank you. And I do want to try to squeeze a
question in----
Mr. Wright. Sure.
Ms. Bonamici. --in the last couple seconds about human
factors, research, and I know that--I mean, Ms. De Mooy, you
talked about how people just tend to click without reading
policies. They are given to following what is convenient, don't
understand the fine print or the options, so is there some
research that we can do or that can be done that will help
inform consumers so that they can better protect their privacy
and defend against cybersecurity threats? Is there certain
kinds of research that we need to help our consumers and
constituents?
Ms. De Mooy. Honestly, no. There have quite a few reports
and studies done and I think almost every aspect of this has
been looked at and picked apart either by academics or
technologists or advocates. I think simply entities, government
entities, commercial entities, need to take privacy
insecurities very seriously and not view the opportunities to
get data as, ``I will collect as much as I can and then figure
out what to do with it later,'' but to have very solid systems
in place that include privacy risk assessments and privacy
model threats, which is, you know, something that is a sort of
a wonky thing to say but is actually very useful, even for the
average person to consider what data may be getting out there
about you, to really take the resources that are available
online to look at your data profile. There are some companies
that allow that. There are some that give you sort of your
advertising profile.
Those resources are helpful but I think really the onus is
on especially the government to lead the way by having the
highest standard of privacy and security and then to create
legal incentives for companies to protect and safeguard user
data.
Ms. Bonamici. Thank you so much, and my time has expired. I
yield back.
Thank you, Madam Chair.
Chairwoman Comstock. Okay. And now I recognize Mr. Palmer
for five minutes.
Mr. Palmer. Thank you, Madam Chairman.
Following on that line of questioning, in the Anthem hack,
the hackers got access to medical IDs and that is a little bit
more problematic than just finding out what drugs people buy
and whether or not they exercise, that sort of thing. Would it
not create some issues in regard to violation of the HIPAA laws
if a company bought that data and was able to specifically
target advertising to people, for instance, who are diabetic or
have certain other conditions? Let me address that Mr. Wright.
Mr. Wright. I remember the initial creation of HIPAA and
stuff and I know a lot of that dealt with the encryption. I am
not an expert on HIPAA so I don't even want to pretend that I
can answer that completely.
Mr. Palmer. Well, let me simplify it.
Mr. Wright. Yes.
Mr. Palmer. It is against the law to disclose individual
health--patient information.
Mr. Wright. Correct.
Mr. Palmer. The doctor can't do it without your permission.
Mr. Wright. Correct.
Mr. Palmer. He can't share it with anyone, and that medical
ID could potentially get people access to that, that they would
then sell that information. And it seems to me that if this is
going on, there ought to be some legal recourse that either the
government takes or the individuals take against companies who
buy the data. It needs to go both ways, not just going after
the hacker but going after the people who are buying the
information. It is almost like buying fenced goods.
Mr. Wright. Um-hum.
Ms. De Mooy. Sir, I think one thing that would help would
be some transparency into the system, which there is very
little of it right now. Second, I would just say that HIPAA
didn't apply in this case. The HealthCare.gov website was not a
covered entity, which is--HIPAA is, you know, a really
complicated law. I struggle to understand it. But I know that
it did not fall under the categories of covered entities.
Mr. Palmer. Okay. And in that regard, when people are
basically being forced into a system, does it not make sense
that the government gives them an opportunity to opt out of
providing certain data or even allowing their data to be
shared?
Mr. Wright. I think--and it should be very clear because
you are on a government system. I mean it is about transparency
because that information you are talking about, collection, can
also be used to target a consumer from an individual standpoint
of access to their medical records, their financial records. We
know that these phishing attacks have been successfully done by
the Chinese, by the Russians, by other folks targeting specific
people. Unit 6139A specifically targeted people by a collection
of a lot of information. The more information you can get it,
it becomes--to a behavioral standpoint, I used to instruct
behavioral analysis like out at the NSA. I will tell you this,
that if I can get inside your mind and I can make you believe
it is a legitimate email because I have enough detail and I can
convince you, now I can compromise your identity.
That is the scary part about medical identity because now
that the payment system will be coming online, the ability to
commit fraud with somebody's medical identity, as the Chair
pointed out, 10 times greater than straight identity theft, the
value of that information.
Mr. Palmer. All right. In a report from last August--or
August of last year, which I guess would be last August, HHS
Inspector General found that the value of the 60 contracts that
were issued to develop and operate HealthCare.gov totaled $1.7
billion. At the end of last year Accenture was awarded a five-
year contract to fix HealthCare.gov that totaled $563 million.
Altogether now we have spent at least $2.3 billion on this
failed website. How much do you estimate that it is going to
cost to implement your suggestions to secure it?
Mr. Wright. My original testimony back in November there is
a rule of thumb that says if it costs $1 to fix it before it is
launched, it costs $10 to fix it after it is launched. In an
observation--
Mr. Palmer. I think it is going to be a little bit more
than 10, though, so what----
Mr. Wright. Well, I mean it is--what I am saying is that if
a problem--
Mr. Palmer. It is a tenfold issue?
Mr. Wright. It is a tenfold issue. So if it costs you $1
million before launch you could have fixed it, it will cost you
$10 million after launch. And, you know, my dad was a World War
II vet. They fought and completed World War II, built numerous
ships, numerous--thousands, hundreds of thousands of planes and
tanks with far less--in far less time, and my concern is this
will keep going because they are not addressing the fundamental
issues.
Mr. Palmer. I would like, if you don't mind, for you to get
back to the Committee and give us a number. And in regard to
your last point there, I used to work in engineering and we had
a saying that there is never time to do it right but there is
always time to do it over. Apparently, that is the case here.
Thank you, Madam Chairman.
Chairwoman Comstock. Thank you.
And I yield to Mr. Tonko for five minutes.
Mr. Tonko. Thank you, Madam Chair.
The traffic to the federal government health insurance
website was up 58 percent compared to the same time last week
in a week-to-week measurement. That was some 275,000
individuals that signed up, making it the busiest enrollment
period of the past two months, and the comparisons from last
year to this year are ``as an experience, pretty dramatic.''
What is your reaction to that?
Ms. De Mooy. My reaction is that the government should
immediately implement some of these recommendations to make
sure that no, as I said, American should have to choose between
their data sharing and their health.
Mr. Tonko. Does it indicate any sort of comfort zone with
the website?
Ms. De Mooy. I think that is difficult to say. I think
there is a deadline looming and so the government has tried to
get as many people who need this service to make sure that it
is in front of them and available to them. But the fact that
they have reduced data sharing is good; they just need to do
more.
Mr. Tonko. Um-hum. And it seems like over the past 10, 20
years the expectations of privacy have diminished dramatically.
Do you think that that is true and what can we do to ensure
that private personal data stay private?
Ms. De Mooy. I don't think that is true. It is something
that I hear quite a bit and I usually hear from people who have
curtains and people who like to wear pants, for example, sort
of not clever way but people care about privacy. It is a part
of autonomy. It is at the heart of it. And when you take that
autonomy away, in this example, where the government didn't ask
or get permission, then you are removing a fundamental right
that we have.
I think there are steps that--especially in the case of
HealthCare.gov--that can be taken to ensure more privacy, to
ensure autonomy and freedom, and so that when people go, they
have the option of whether they want to share this kind of
data. Certainly in the health context it is more sensitive.
I think companies have options. I think privacy is in
itself an innovation. To speak to your point about making sure
that we don't limit innovation, you know, the internet, I
remember a time when the internet was not something that people
used to buy things from. It was literally too scary to do that
but privacy became an innovation that allowed that to happen.
Mr. Tonko. Um-hum.
Ms. De Mooy. And I think in this atmosphere of data
sharing, rampant data sharing, that needs to happen once again.
Mr. Tonko. Ms. De Mooy, one of your recommendations that
would address the wider problems beyond HealthCare.gov was to
strengthen legal incentives for companies to better safeguard
data. Can you speak more directly to this and what it would
look like and why it is necessary?
Ms. De Mooy. Sir, I think that is something I could get to
you in writing. In our written testimony that sort of lays out
some of our recommendations. And CDT has done quite a bit of
work on policy in that and I think I would do it a disservice
to sum it up now. But I can say that in the President's
comprehensive Consumer Privacy Bill of Rights, what that did
was create a framework for legislation around the fair
information practice principles, which have guided privacy and
security for decades and are sort of renowned as something that
is flexible and nimble enough to address new technologies. I
think that would be a start for there to be sort of a baseline
consumer privacy legislation, something that we have been
sorely lacking in the United States.
Mr. Tonko. And are there steps that you believe can be
taken by private industry or commercial companies, internet
providers to help limit the amount of personal data these
enterprises collect?
Ms. De Mooy. Absolutely. I think data minimization is a
term that we use to describe when a company has a purpose for
collecting a data point and that it stops collecting after that
purpose has been fulfilled. It is a kind of simple concept but
one that is lost, especially in the rampant data collection
online. So implementing a real understanding of why you need a
piece of data and not just collecting every single piece that
you can get would drastically reduce the risks to people in
terms of security and privacy.
Mr. Tonko. Um-hum. Is there a point where that could become
unrealistic?
Ms. De Mooy. Data minimization?
Mr. Tonko. Um-hum.
Ms. De Mooy. To my understanding, no. I think data systems
are designed from the beginning, and when they use privacy
principles such as data minimization, it is very possible. You
know, there is really no system that I know of the needs every
single thing about you in order to function. Usually we use
services and apps for a specific purpose. And so I think that
is absolutely doable.
Mr. Tonko. Okay. Thank you very much, and with that, I
yield back, Madam Chair.
Chairwoman Comstock. Thank you.
And thank you to our witnesses.
I think we are supposed to have some votes sometime in the
next few minutes here, so I think we will be able to close out
now. But I really want to thank you and appreciate your
expertise.
And while, you know, we might have in the normal order--
certainly we ask the government to give us answers to the
letters we sent, but I think your expertise and the information
you provided I think will help illuminate that hearing, and so
I hope any ideas you might have for us and questions to ask,
that you will feel free to come forward because I think what
you have demonstrated through your discussion and the expertise
the you have is that we don't have to, nor should we have to
make the choice between privacy and being able to use our
modern technology.
I mean we have always been able to match technology with
technology if we approach it with the right principles. That is
sort of the new way we have to work on things in the 21st
century. So I think the very specific things that you pointed
out here and certainly doing this on the front end is much less
costly. So I think as we set up practices I think it has been
helpful for you to--the information you have given us and I
look forward to our next testimony in light of the information
you have given us.
And I do invite you to provide us with any additional
information that you think might be helpful as we hear from the
government, as we learn more going along. It would be helpful
for us for the record.
And the record for this hearing will remain open two weeks
for additional comments and written questions from Members. And
the witnesses are excused and this hearing is adjourned. Thank
you.
[Whereupon, at 4:04 p.m., the Subcommittees were
adjourned.]
Appendix I
----------
Answers to Post-Hearing Questions
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Answers to Post-Hearing Questions
Responses by Ms. Michelle De Mooy
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Responses by Mr. Morgan Wright
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Appendix II
----------
Additional Material for the Record
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Prepared Statement submitted by Subcommittee on
Research and Technology Member Elizabeth Esty
Thank you to the Committee for holding this hearing on privacy and
security concerns on HealthCare.Gov, and thank you to our witnesses for
your time. Since so much of our personal business--from paying our
credit cards to applying for mortgages to choosing health insurance--is
now conducted online, it is all the more important that we maintain a
strong cyber infrastructure to protect our security and personal
privacy.
In Connecticut, we established our own health insurance
marketplace, Access Health CT, for residents to shop for and secure
health insurance. Over half a million Connecticut residents have
already enrolled in health insurance plans through Access Health CT,
and in 2014 our state's uninsured rate was cut in half. I am encouraged
by the level of success we have achieved in Connecticut, and I look
forward to working with my fellow Committee Members to ensure that
Americans across the country have access to affordable healthcare
without compromising their privacy and personal information.
Letters Submitted by Subcommittee on Research and Technology
Chairwoman Barbara Comstock
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Documents to Support Letters Submitted by
Subcommittee on Research and Technology Chairwoman Barbara Comstock
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
[all]