Facebook Twitter Tumblr Close Skip to main content
A Project of The Annenberg Public Policy Center

Eric Cantor’s Security Scare


Rep. Eric Cantor distorts the facts when he says an Obama administration official described HealthCare.gov’s “security problems” as “‘limitless’ prior to the website’s launch.” That official actually deemed the security risk “acceptable” in a Sept. 3 memo that authorized the website to operate.

Cantor, the Republican majority leader, made his remarks at a House Republican weekly press conference on Dec. 3. Cantor read from prepared remarks. His theme: the administration is hiding the truth from the American people.

Cantor, Dec. 3: The administration has tried to hide the security problems that exist with the website that one official called “limitless” prior to the website’s launch.

Cantor’s office tells us the “limitless” quote comes from a  Sept. 3 Authorization to Operate (ATO) memo written by Tony Trenkle, who at the time was the chief information officer at the Centers for Medicare & Medicaid Services. CMS, which is an agency within the Department of Health and Human Services, was responsible for building a secure website for the federal health exchange created under the Affordable Care Act. The exchange allows Americans to buy insurance and determine if they are eligible for government subsidies.

In his memo, Trenkle deemed the website risk “acceptable” and authorized it to operate through Aug. 31, 2014:

Trenkle, Sept. 3: I have determined through a thorough review of the authorization package that the risk to CMS information and information systems resulting from the operation of the FFM information system is acceptable predicated on the completion of the actions described in the attachment. Accordingly, I am issuing an Authorization to Operate (ATO) for the FFM information system to operate in its current environment and configuration until August 31, 2014.

(NOTE: The emphasis in the memo was Trenkle’s, not ours.)

Cantor actually quotes the attachment to Trenkle’s memo. The attachment listed six corrective actions that needed to be accomplished by specific dates in 2014 and 2015 in order for CMS to maintain its authorization to operate the website through Aug. 31, 2014. That’s what Trenkle meant when he said that his authorization was “predicated on the completion of the actions described in the attachment.”

ATOThe attachment is heavily redacted, but we know that there were two findings of high risk, and one of them says that without corrective action “the threat and risk potential is limitless.” Those are the only words not blacked out in the second column under the heading of “finding description.” (See image to the left.) This particular finding of high risk needed to be corrected by May 31, 2014 or CMS would lose its authorization to operate the website, the memo states.

So, Trenkle was not talking about security problems with the website that launched on Oct. 1. He was talking about other parts of the website that would be added later and would need to be functioning securely for CMS to continue to operate HealthCare.gov. This was confirmed by Henry Chao, the deputy chief information officer at CMS, at a Nov. 13 oversight committee hearing.

Chao told the committee that the findings of high risk referenced in the Sept. 3 memo pertained to parts of the website that did not go live on Oct. 1, so there were no high security risks when it was launched — contrary to a CBS News report that carried the headline, “Memo warned of ‘limitless’ security risks for HealthCare.gov.”

Rep. Gerry Connolly, a Virginia Democrat and committee member, accused the Republican majority of leaking the Sept. 3 memo and a partial transcript of Chao’s closed-door interview with the committee to CBS News, and Chao claimed the Republicans misused his testimony about the memo to exaggerate concerns about the website’s security.

An exchange between Connolly and Chao at the hearing ended like this:

Connolly, Nov. 13: So to just summarize, correct me if I’m wrong, the document leaked to CBS Evening News did, in fact, not relate to parts of the website that were active on October 1. They did not relate to any part of the system that handles personal consumer information. And there, in fact, was no possibility of identity theft, despite the leak [to CBS News].

Chao: Correct. Correct.

House Republican leaders have repeatedly questioned the security of personal information that Americans must enter on HealthCare.gov in order to obtain health coverage and receive government subsidies. But they have twisted the facts in overstating their case. At another leadership press conference last month, GOP Majority Whip Kevin McCarthy erroneously claimed that Consumer Reports warned Americans not to use HealthCare.gov “because of the fear of having fraud.”

Consumer Reports gave no such warning, as we wrote about at the time.

— Eugene Kiely