those quick fixes are coming out president cally over the next few months to really change the whole system and bring in a new one will take time. we would like it to be done in 2015. >> and that includes the training sn. >> yes, of course. when you put in a new system, we want to commission it. we want to verify people know how to use it before they sit down and are qualified to use it. >> thank you very much. >> thank you, senator murray. >> mr. chairman, thank you. mr. secretary, i don't think i will call you bob, but mr. secretary, thank you very much for your presence as i said earlier. a series of convoluted questions related to the same poppic. i would like to offer my assistance as i have done with previous secretaries. you have testified and the chairman has great interest in trying to help the va have the necessary professionals to meet

the needs of veterans. i asked previous secretary for how can i help. what tools don't you have to solve this problem with no response sn again, if there is changes in the law and programs that are necessary it encourage loan forgiveness or whatever would help you attract professionals, i would like to be an ally. here's my scenario of a couple of stories. lee mann is a veteran. i mentioned him in opening remarks. he had the fortune of the va calling him to tell him he no longer needed to drive four hours to nebraska from kansas to have a colonoscopy. that's the good news. that suggested that there is change afoot. thank you. down the road, about an hour in plainville, kansas, larry mcintyre said he drove three

hours to wichita to get a cortizone shot in his shoulder. he goes several times a week for other minor procedures. there is a sea bot within 25 miles, but they don't have the capabilities as i understand it of providing cortizone shots. what does exist is a hometown hospital. rooks county medical center, plainville, kansas could provide a cord sewn shot in the same town as where mr. mcintyre lives and less than the 3 1/2 hour drive to wichita. we had success on the one hand and on the other there remains the issues that we are trying to get at within the va, but also in implementation. first of all, the implementation of the care act, when the 40 miles is the defining determining factor as to whether or not you can access health care, how are you going to treat

what that sea bot is capable of doing in determining whether or not that veteran lives within 40 miles of the facility sn is it a facility or a facility to perform the service that the veteran needs sn. >> that's a really excellent question. i'm glad you brought it up. one of the changes we are working on is to give the secretary the authority to interpret that the way it should be interpreted. in other words, let's look at it through the veterans lenses. does it make sense for them to get the shot closer to home sn what makes sense sn one of the things we are asking is to give the secretary that flexibility in the technical changes to the care bill. >> you do not believe you have that authority to make that determination now sn. >> no, sir. just by putting in a phrase, it would be handled. we have been working with the staff and does there seem to be an impediment sn. >> no, sir.

>> let me go back to arch in the interim before the care act with november being the best scenario. you set aside $25 million for outside of the va care. that i assume funding expires at the end of the fiscal year september 30th, three weeks away. arch is in existence and the care act gives you the authority to do two things with arch. one is to extend the contracts and the program. the second is to expand beyond the je ol rave that is currently served by an arch program. do you have questions about your ability to expand the program sn. >> one of the changes that pertains is the ability to extend the contracts that we already have to allow us to accelerate the expansion of

arch. >> so the language in the care act is insufficient to allow you to extend the contract sn. >> it means a modest modification. >> when do the contracts expire sn. >> i don't think it's the expiration as much as the assumption that we can use them moving forward. we can move more quickly rather than going through a rebidding process for a new contract -- >> arch is not going out of business before you get a technical change sn it will continue sn. >> let me check on this to make sure. it's extended for six months, but what we are trying to do is extend the expansion as quickly as we can and the way to do this is this technical change. >> you don't need an expansion and language to expand from six months. you need something. >> no. >> the expansion authority sn.

>> the technical change we are seeking allow us to accelerate the expansion. >> i would say i was surprised as an author of this legislation that the programs were so narrow to begin with. a small geographic area. my expectation was the va would choose five sites that are state-wide. we expect it to be a pilot program and not a matter of a county or two. do you have an opinion or thoughts about your willingness to expand to a larger statewide or geographic area sn. >> again, consistent with what the deputy said, we need to look at this again from the standpoint of the veteran. we are looking forward to

working with you on that. >> it's the one for months. you would like to see what the report said to analyze the program. i would assume it would say good things by proiing care. >> all right. it has been a long hearing. i think it has been a productive hearing. 34r chairman, may i say one thing. i want to clarify one comment i made. i recall i said funding for vba is roughly $400 million. that was part of the $17.6 billion request and did not end up getting past. we want to continue to driveway down the claims. secondly i was trying to say earlier that leasing becomes important. leasing is a strategy that we are using to move our footprint

out and provide greater access and care. right now we have an issue that we are trying to resolve with the general services administration. gsa where they rescinded our blanket delegation of authority in july. for at least contracts. every one of the lease contracts needs an individual delegation from the gsa. those that exceed $8.25 million which many of them do, 59% of the 27 do, they need to go through a relatively laborious process. we are working to resolve this. we believe believe there is a case for an independent lease authority for the va to carry out the mission and to continue to provide the points of access. i wanted to make sure i got that

right. >> this has been a long and ongoing program. we look forward to working with you. >> thank you. >> mr. secretary, thank you very much for being with us and thank you for the hard work you are putting in now and the changes we are seeing. this hearing is now adjourned. blap

>> here's a look at tonight's primetime lineup on the c-span networks. microsoft founder bill gates discusses the ebola outbreak and the foundation's pledge to

donate $50 million to fight the virus. the communicators with federal trade mission member who discusses a number of issues with ftc and the internet. including net neutrality and data. a series of discussions on mars and science education. ed which aring a conversation with nasa administrator charles bolden on the difficulties they would face sending humans to fares. all tonight on 8:00 p.m. eastern on the c-span networks. the house oversight and reform committee looking at the protocols in which an armed intruder entered the white house. the committee invited the director of the secret service to appear. you can watch it live at 10:00 a.m. eastern on the com ban yon network, c-span.

>>. >> our debate coverage at 9:00 eastern for the final texas governor's debate between wendy davis and attorney general greg abbott and the oklahoma governor's debate between joe dorm an and mary fallon. watch the nebraska governor's debate. c-span's campaign 2014. more than 100 debates for the control of congress. >> this past friday oregon governor debated his republican challenger dennis richard in their second debate. the political report listed the race as currently safe democrat. here's some of the debate. >> let's remember that oregon is the first state to institute a minimum wage in 1913.

this has been a core value for over a century. i believe it should be higher: i'm not sure what, but i can't see 15. maybe 11 or so. raising the minimum raise by itself doesn't solve the problem. there is a benefit cliff where your income goes up and support services like daycare starts to falloff. if you move from 9 to 13, you have less money in your pocket. no one can live on the minimum wage today. many require social services to support them. we should raise the minimum wage and we have to lift the income. when you get the increase whether it's under a current system or not, you end up with more money in your pocket and make more pay. that ought to be the objective and giving people the ability to take care of themselves and their families. >> thank you. representative richardson. oregon's minimum wage will be $9.25 an hour. should it be higher or stay the

same and why? >> it's important to know that oregon presently has the second highest in the country and indexed with inflation which is 134g many other states do not have. we need to focus on the fact that minimum wage is supposed to be an entry wage. we should not, just looking at how we will be able to raise the minimum wage. we need more jobs and family jobs in our state. that requires us to focus on the barriers to prevent us from having good jobs in oregon. i want to expand our gross domestic product. when there is greater demand, that creates more desire for the products and creates jobs. minimum wage is entry level. we need to provide more jobs to allow people to raise their families and pay the mortgages and have a future here in oregon. >> we have 30 seconds to respond. >> just growing the economy doesn't help people at the

bottom. we have the second largest growing economy and most of the jobs are on the bottom. people trapped with no way up and no way out. no one can live on the minimum wage. you try to take care of a family on that and it is impossible to do. if we care about the future, we will pay people a wage that allows them to take care of themselves. >> a quick clearification on that question. the question was in 2015, oregon's minimum wage will be 9.25 an hour and you talked about that being an entry level wage. can you me if it should be higher or stay the same. >> minimum wage should stay with the same program we have now. this is indexed. what we need to do is not focus on minimum wage, but so people can get beyond minimum wage that. takes a vibrant economy and after three terms we don't have that. the unemployment has been higher

for 18 years and that is unacceptable. >> you can watch that and many others at c-span.org. the house oversight and government reform committee held security and privacy of the health care exchange website. the administrator for the service testified. announcing that 7.3 million people signed up and paid for health care coverage as of mid-august. this is about 2 1/2 hours. >> without objection the chair is authorized to declare a recess at the committee at any time. the oversight committee exists to secure two principals. first, americans have a right to know that the money washington takes from them is well spent. second, americans determine efficient effective government that works for them. our duty on the oversight and government reform committee is

to protect the rights. the responsibility is to hold government, government cou accountable to taxpayers because they have a right to know what they get from the government. work tirelessly in partnership to deliver the facts to the person people and bring reform to the federal bureaucracy. over the past four years, the oversight and government reform committee conducted vigorous oversight of the implementation of the affordable care act called obamacare including the design and launch of healthcare.gov. today the committee focuses on the interconnected issues of security of the website and accountability within the administration and most of all transparency to the american people. the government accountability office released a report this week on security of

healthcare.gov. the gao found the administration failed to take appropriate and sufficient steps to protect healthcare.gov and associate the systems against security and privacy risks. more importantly the gao reported strong asserts that security testing is not complete and security weaknesses continue to plague the website. one of the principal authors will testify before us today. the committee released a report detailing several break downs in both accountability within the administration and transparency to the american people during the design and implementation of healthcare.gov. it is important to understand that with private sector high profile losses of information due to hackers, there huge

repercussions to the companies and the government often comes in and further victimizes the companies who have in fact been victimized by hackers. when the government fails to protect involuntarily taken personally identifiable information, there is nobody but people on this to try to hold government accountable. documents obtained show factions developed within the agency in charge of implementing obamacare, the center for medicare and medicaid services or cms, these factions fought over several issues including over website security. cms offense fought to keep information from their colleagues within the larger department of health and human services and additionally the administration endeavored to keep the truth and the true nature of the website's problems out of the public eye.

following the collapse of healthcare.gov, administration officials refused to admit to the public that the website was not on track to launch without significant functionality problems and substantial sdurt risks. last month, cms denied the associated press access to security documents requested under the freedom of information act. even more recently, cms refused to provide the government accountability office documents related to the 13 incidents that we are going to hear about in vague detail here today. i want to make something very clear. refusal to cooperate with the gao, a nonpartisan government createdentity. they refuse to allow access by the whistle blowers. a refusal to cooperate with even the inspectors general even a

few days ago. with the lack of access even been the legislative part. this is not the most transparent in history and the transparency we see here. cms has offered to reach that on the 13 incidents. on the eve of a hearing after an audit is completed to say we have been glad to belief you. one of the most disingenuous things i have seen. they complied with a reasonable request by the general office and it wasn't done.

the questions can no longer be dismissed in late july. healthcare.gov suffered a malicious attack from a hacker it it took nearly two months to identify the intrusion. the administrator who was with us here today will testify and we will discuss that in addition to the gao report. i'm sure we will hear that there was no loss of data that this was not the main site and so on. that doesn't change the fact that security risk exists whenever you failed to secure not just the main site, but backdoors. too often backdoors have been what we discovered. in the case of another investigation to this committee, we discovered that the backdoors were something as simple in one case as a stolen laptop on which those who stole it later added peer to peer software that made

information on that database available to the public potentially. the federal trade commission opened an investigation and a plaintiff's trial lawyer sued and won money on behalf of people whose information was never actually released, but in fact both the government and plaintiff's bars thoroughly enjoyed going after a nonprofit aids clinic. i cannot and will not allow the government to put itself at a different standard. they informed the committee that once again there were lot of e-mails in response to the subpoena and do you means relative to healthcare.gov. this is not uncommon. this is a pattern of predictability. this administration has not complied with or caused the executives with the appointees

to comply with the federal records act. they admitted to deleting her own e-mails during the time period of obamacare implementation. madam, your actions hinder congress's investigation and prevent the public from accessing information under the freedom of information act. it appears as though this administration holds itself to a different level of compliance with historic federal documents and the last administration or any administration since the passage. we are also today joined by the department of homeland security computer readiness team. the committee has concerns about the team's transparency reported earlier this month. they spent a billion dollars on a website that is still not fully operational and fully not secure. the same government officials responsible for the lack of

transparency and accountability a year ago remain in the position of authority. questions of security, accountability and transparency go beyond whether or not you support the president's health care law. many of these issues are not limited to health care and mirror the transparency and accountability concerns raised again by 47 out of 73 inspector generals in an unprecedented letter to this and other committees of congress in august. minutes before hhs announced publicly on september 4th that healthcare.gov had experienced a malicious attack in july of this year, an hhs official contacted my office to give them limited details of the successful hack. during the brief call they gave the name and phone number of a

contact at the department of homeland security and suggested my staff contact them for more information about the hack itself. my staff reached out and suggested contact at dhs on monday of last week. they followed up on tuesday and we are sold they were running. back with hhs to see if we can all jointly get on the phone. see figure tomorrow will work. however my staff followed up on wednesday and friday and then on monday and tuesday with no response from dhs. i would like to note that despite a week of persistent e-mails from my staff, dhs was unable to make time to brief our committee even by phone. however, two days ago, the minority staff notified me that

they were asking for our witness today to appear as a witness at today's hearing. i accepted it even though clearly this is a witness from an organization that has refused to answer questions or cooperate with the investigation. the minority staff reached out to appear in the witness. they were able to prepare in detail testimony before this hearing dhs has not arranged to brief the staff or answer questions we will be asking here today. i would like to introduce into the record. it appears to be a very different treatment from this administration for the request from a majority of staff. that's placed in the record.

let's cut to the chase. >> i have with me three witnesses. they are clearly not part of the transparency of government. i have no doubt that your organizations have worked and they will try to make this hearing good for you. it is not our job to try to make the hearing bad for you, but the american people deserve the truth, not a cozy relationship between the people of your president's party in covering up the ongoing failure to secure a website that cost over a billion dollars. i am pleased to recognize the ranking member. >> thank you very much. i want to apologize for being at the joint session to hear the president of the ukraine.

they demanded government and safeguard there with their personal information. they safeguard the social security numbers. the credit cards and the health information. nobody wants to get a call from a credit card company saying your personal information has been compromised. in your entire life, it can cause serious financial problems for years. i believe they have the potential to perform a valuable function in the area. jurisdiction over multiple federal agencies and entities, you can promote robust standards

against the government and private sections. we have not fulfilled this potential. today each hearing is the 29th. this is the 6th on healthcare.gov. i completely agree with the aca website that they must be secure. that is why i'm so hardened that despite all of the challenges with the roll out last year, nobody's personal information has been compromised to date as a result of a malicious attack. nobody's. personal information has been compromised to date as a result of a malicious attack. that could change. we have to remain vigilant after all, this is our watch. so far they have been successful. there have been attempts.

last week the centers for medicare and medicaid services reported that hackers uploaded mall wear on to a is server. they have several key facts to know about the attack. first, it was not directed at healthcare.gov alone. a much wider universe of targets. second, the server that was attacked was a test server and had no personal information on it. third, the most important, nobody's personal information was compromised as a result. that incident was investigated by the united states computer emergency readiness team into the department of homeland security. the rest of that team entered written testimony for today and reports and i quote, there is no indication that any data was compromised as a result of this

intrusion, end of quote. they spent time focusing on the affordable care act and the website, they have not compromised any personal data to date. they have been disregarding attacks that compromised a massive amount of personal information. we are talking about hundreds of millions of people. months ago i sent a letter requesting a bipartisan hearing with eastern officials from target. as i wrote, up to 110 million americans were supported to one of the most massive technology breeches in history when their credit, debit and other information was compromised, end of quote.

on september 9th, i cent a letter requesting a bipartisan hearing and community health systems, the nation's largest for profit hospital chain. hackers broke in and stole data on 4.5 million patients. as i noted, this was "the largest hacking related health information breech ever reported." on september 11th i sent a letter requesting a bipartisan hearing examining a breech at home depot where our constitu t constituents shopped. i explained home depot has more stores in the united states and a higher total annual sales volume than target. end of quote. and it appears to have security

breech than the data the end of quote. i sent a letter requesting a deposition with the company that conducts more background checks for the government than any other contractor which had their own breech this summer. i quote and i quote, california press accounts reported that the attack may have compromised the personal information of up to 27,000 federal employees, government experts now believe this snb a floor, not a ceiling. we are talking about the people who work with the federal government. up to 27,000.

i received a letter back, thanking me for my request and acknowledging, the serious incidents merit further review. i thank you for that. these are our constituents. i want to close by highlighting that this is much broader. they represent here today. they warn that the number of cyber attacks is increasing across the federal government. the same is true of the private sector. oversight is called for. i hope they seize the opportunity and they rise to the challenge. with that i yield back. >> i thank the gentlemen. at this time we would like to place examples of state attorney

generals prosecution and reon public sector identities and going after the damages that allow breeches. without objection, so ordered. >> can i get a copy of that? >> we will make it available. it's all basketball information. the vermont attorney general's actions on behalf of your constituen constituents. >> thank you. >> they submit opening statements and we now welcome our witnesses. the subject of some frustration. at the differently health and human services called cms today.

ann barron decamillo is the director of the u.s. computer readiness team of the committee. all must be sworn. will you rise and raise your right hand. do you solemnly wear or affirm that the testimony will be the truth, the whole truth and nothing but the truth? please be seated. let the record reflect that all witnesses answered in the affirmative. in order to allow sufficient time for your panel and what i suspect will be a robust series of questions, i would ask that you limit your opening statement to five minutes although your entire statements including the additional information that you may want to make available will be placed in the record.

without my talking point, it will be hard. >> thank you, mr. chairman. chairman issa and members of the committee. i am pleased to be here as you examine the implementation of the patient protection and affordable care act that requires the establishment of a health insurance market place to assist the consumers in preparing and selecting and enrolling the plans offered by participating and cms is responsible for creating the market place that do not establish their own. this is supported boy an array of it systems including healthcare.gov. my statement will summary and the recent work by security of healthcare.gov. before i proceed, i would like

to recognize several members of my team who are instrumental and protective. with me today-in addition, members from e security lab also participated. >> could you all please stand so that we can at least for a moment realize your contribution? >> health care.kof including the systems of the market place and federal data services hub represent a system that interconnects a broad range of system. the state agencies and health plans. the complexity and

interconnectivity poses a significant challenge. to meet that, cms has undertaken a number of activities to enhance the security and privacy of systems supporting health care.kof. they have the policies and procedures and it developed a process for remediating the security weaknesses and they created interconnection security agreements with the federal agencies with which it exchanges information. it instituted privacy protections such as notifying the public of the types of information that will be maintained in the system. however they did not implement key controls to safeguard the confidentiality and integrity and availability of the federally facilitated market place and information. they did not always require strong password control and

restrict systems from accessing the internet and did not implement patches in a timely manner. they had shortcomings of information security privacy management programs. for the federally facilitated data hub contain most required information, but each was missing key security information. c, ms had undertaken security-related activities that began in 2012. these control assessments did not identify and test all relevant controls prior to deploying the systems. in addition, cms did not assess privacy risk and the impact assessments and had not fully established a process for healthcare.gov systems to ensure they could be recovered in the event of a disruption or disaster. to assist, we made six recommendations addressing the

shortcomings with the security and privacy program. they resolved technical security weaknesses related to access controls and management. cms concurred partially with all 28 recommendations and noted it was taking actions in conclusion, while cms has taken steps to apply security and privacy safeguards to healthcare.gov in supporting systems, weaknesses remained in these systems in the sensitive information they contained in the risk of compromise. mr. chairman, ranking member cummings, this concludes my opening statement. i would be happy to answer your questions. >> the ranking member of congress, thank you for the opportunity to be here today and want to make everyone aware that

cms strives to be as responsible as possible. i understand we have provided over 140,000 pages of documents to this committee. transparency is important and that's why i am pleased to be here to have the opportunity to answer your questions and we will continue to produce documents. in the almost years that i had the privilege to work at cms, my focus has been on how to best serve the beneficiaries including seniors on medicare, adults and children on medicate and consumers enrolling in the market place. when i come to work each day, i work to expand coverage and competition and reduce cost and improve quality in ways that make a difference in people's lives. we are making real and important progress. as of august 15th this year, we have 7.3 million americans enrolled in the health insurance market place coverage. these are individuals who paid their premiums. we are encouraged by the numbers

of consumer who is paid their premiums and continued to enroll every day through a special enrollment period. this is the most recent count of people who have coverage throughout the market place. each month this number will change as consumers transition in and out of coverage as the life circumstances change. everything from getting a new job or being eligible for medicaid and medicare. spending for medicare beneficiary is growing slower. the med sar trustees projected that the trust fund that finances medicare's hospital insurance coverage will remain solvent until 2030, years what was beyond projected a year ago. we strooive to make health care safer and better. we have seen a 9% reduction in

harm sucha as decreased inprotections. this represents over 500,000 injuries and adverse effects avoided, over 15,000 lives saved and approximately $4 billion in avoided cost. this adds up to better health care at a better price and i know that makes a real difference for real people. consumers also trust us can personal information and i take that trust very seriously. security and privacy are one of the highest priorities. c, ms has decades of experience and operating the medicare program and supporting systems and we successfully protect the personal information of beneficiaries and providers. however we must continue to be vigilant and evolve our assessments and actions to keep up with ever changing threats. consumers can use the market place with confidence that the information is safe and take

comfort in knowing that no personally identifiable information has been maliciously accessed from the site. our systems are designed with security in mind and our focus on security is ongoing. it did not end when the market place launched. c, ms conducts continuous monitoring using a 24-7 multilayer professional security team and testing. our systems comply with standards by the office of management and budget. there is risk in any system. that helps us further protect and seeking to improve the protects in place. as we look forward, the goal is to build upon this progress and address outstanding challenges,

we are making it as seamless as possible. we are making management improvements with clear accountability and committed to being transparent. this coming year will be a visible and continued improvement and not perfection. just as we always have. throughout my career, as a nurse and public servant, my focus has been on providing people with high quality health care. i'm proud of the progress we have made and i have to continue to work with congress on our efforts. thank you. >> i will try to do better. thank you. >> let's start again. chairman issa and members of the committee, thank you for the opportunity to appear before you today. we are also making every

opportunity and every effort to be transparent at dhs and to be as transparent as possible. my name is ann barron decamillo within the national skurp security integrations center. we lead the department's efforts in cyberspace to respond to major incidents and analyze threats and share critical information with the trusted partners around the world. they are a 24-7 center and receives ann lizs hundreds of incidents and reports a day. we work with public and private organizations and are committed to the protection of privacy for all americans. we strive for a safer stronger internet for all americans. established in 2003, they initially focused on securing federal systems networks. the capabilities have grown

since the establishment and we are working more closely with partners across public and private sectors to develop a comprehensive picture of mid-igation options. cyber security say shared responsibility and a continuous process. our focus is helping our partners build a resilient and secure episystem. protecting the networks requires coordination across a cyber kmund to enhance others as we continue to mature our own. while dhs leads the effort, agency heads are responsible for assessing risk and taking appropriate measures to secure their networks. u.s. supports agency heads and information officer in carrying out these responsibilities. i'm here in a technical capacity to provide findings from our analysis from the test server at

healthcare.gov. they were notified with who has the responsibility of healthcare.gov. we conducted analysis provided to us by cms and found evidence of mall wear. cummings, our analysis concluded there was no indication of any exposure and no indication of data exfiltration. additionally there's no evidence of movement within the network or further infection. we provided cms a report with the findings as well as mitigation recommendations. additionally, we were able to share indicators from our analysis so that agencies could protect their own networks. we are in discussions with hhs to provide further on-site support. dhs remains committed to working with its federal and private sector partners to create a safe, secure and resilient cyberspace. i look forward to answering any questions that you might have.

>> thank you. i will start with you then. when did you find out you were going to appear here today? >> i believe i was informed on monday. >> when did you begin preparing for today's hearing? >> when i was informed on monday. >> okay. has cert done a security testing of healthcare.gov? >> we were provided images from cms of the compromised test servers. we provided analysis -- >> i appreciate that. the question was, has cert conducted any security testing of healthcare.gov's vulnerabilities. >> no. >> so when there has been no loss of personally identifiable information, if you don't know the vulnerabilities, how do you know -- how would she know that to be true? >> i believe that cms conducts their own scanning and testing. >> did you verify their scanning

and testing to be sufficient? >> we would be happy to provide that information. >> did you? >> i haven't been provided any details. >> you don't know that? >> within the test network? >> it boils down to, you are here as an expert that i didn't expect from an organization that refused to give my staff any briefing related to it. >> i do apologize for that. i was under the impression that our staff was working with your staff. >> as of yesterday afternoon, they put people who didn't have technical expertise on who told us they would get back to us. that's after more than a week of information we have put in the record where we were denied that. maybe i'll go on to gao. i'm going to ask first of all your indulgence. when this hearing is over, i would like you to accept -- pardon me? >> i wanted to hear what you had to say. >> that can happen. i would like you to accept a briefing and do a supplemental related to the 13 breaches. >> okay.

>> miss tavenner, i'm going to presume you will agree you will have full access to all information related to that so that gao may develop specific additional recommendations based on the actual breaches, the 13 incidents. >> yes, sir. >> okay. that will allow us to get what we don't have here today. i appreciate that. you have gone through an extensive amount. would you describe for the committee the level of cooperation you believe you got? we have heard what you didn't get. are there good news stories in the cooperation as you did your investigation or your audit? >> there's is some good news and bad news. we do receive good cooperation from the agent sigs that we audit as it relates to receiving information requests that we provide. and in this case initially,

there were delays in providing certain documents that we had requested. in addition, there were certain -- cms attempted to put certain restrictions on the documents. >> did they cite why they were restricting? are you not trustworthy? >> i think they indicated they were concerned about the security information. >> they don't trust you? >> i wouldn't say that, sir, no. but we elevated the issue within gao and within the department. we reached an agreement to where we would be able to and they did provide the information for us to look at. >> at the end of it all, there was no reason after it was elevated there was no reason that they should have denied it to begin with? >> in my view, no. they should have provided it earlier. but at the same point, you know, they had a concern about the security of the information. so they tell us. their motivation would probably be better addressed by the

administrator. >> limited time. i want to set the stage for what others on both sides of the aisle may ask here. when you looked at the robustness of how they determined with such certainty that there had been no breaches, no loss of personally identifiable information, were you satisfied that that -- all those procedures were robust enough with the certainty that miss tavenner said that no losses had occurred, that no losses had occurred? >> well, we did not receive actual security incident reports on these incidents, at least on the 13. we did receive a written response to an interrogatory in which they indicated that -- at least for the 13, that there was certain pii that was compromised or disclosed to an individual.

but it was consumer. it was through a technical glitch. >> wait. i want to understand. personally identifiable information was lost or disclosed? >> was disclosed according to their description. >> miss tavenner, others will ask additional questions. but your opening statement said none had been lost. how can we reconcile none has been lost with a sworn statement that some has been lost? >> i think what my statement said is there were no malicious attacks. >> oh, so if you just screw up and put the public's information out there, it's okay? because it wasn't a malicious attack? >> no, sir. i don't think any time we put consumer information out there it's okay. >> so my time has expired. i want the ranking member to have full time. i want to make it clear that wordsmithing of no malicious was done versus accidental just as we discovered at the time of the launch, that if i went to the section above where the url normally is, whether that thing

was launched, if i typed in a different number or a different state code, i could have looked at somebody else's record. that was part of what you guys had wrong on the day of the launch, is that could you go to somebody else's record by changing that long streak at the top, meaning no code. that wouldn't have been malicious, i guess, except if somebody were doing it to see what they would get, that would be malicious. when you say no personally identifiable information was lost through malicious, you don't know how much was lost, you believe the definition of malicious wasn't met, is that right? >> i actually -- i think this relates to the personal incidents -- i think we want to cooperate with the goa on that. we're happy to review those. >> thank you. your desire to want to cooperate after we bring you here involuntarily for a hearing is appreciated. but frankly, you should have cooperated with the gao beforehand. >> sir, i like to cooperate with the gao and oig.

we have had over 140 open audits under way. i think we have cooperated. i'd also like to say i came here voluntarily. >> thank you. >> danny? lacy. >> the distinguished gentleman from missouri is now recognized for five minutes. >> thank you. and i thank the ranking member for yielding his time. gao found that healthcare.gov had security weaknesses when it was first launched because of a lack of oversight of security contractors, is that right? >> we found that with respect to when it was first deployed -- recognize that our audit occurred subsequent to the initial deployment. we found that based on review of the documents that there were

certain vulnerabilities in controls that he had not been tested at that time and that there were a few vulnerabilities that had been identified through testing through which the cms had accepted in order to provide an authority -- >> whose responsibilities were incumbent upon the contractor, correct? >> well, overall responsibility rests with the service -- >> with the contractor? >> i believe -- i think in some cases there may be incidents where we did identify weaknesses that were operated on systems operated by a contractor. that was subsequent. that was during the course of our audit. that doesn't necessarily pertain to prior to the system. -- to deployment of the system. >> gao report found there was not a shared understanding of

how security was implemented among our entities involved in the development and security testing of the website, is that correct? >> yes. that's correct. what we found, too, is that in certain instances where cms told us who was responsible, the contractor responsible for certain tests such as assessing the secure -- implementing security on a firewall, it went to the contractor. the contractor indicated it was not his responsibility, that it was another contractor and that responsibility was not identified in that contract statement of work. >> yeah. but scenarios like this obviously increase the likelihood of security risks, is that correct? >> yes, sir. >> and was there a specific cms official or group that was

responsible for overseeing the security testing of healthcare.gov? is there a group? >> well, overall, the cms -- chief information security officer has overall responsibility for reviewing and assuring the security over this system. >> now, for a project of this magnitude, shouldn't an agency official with a broad understanding of i.t. security testing oversee contractors? >> i would say yes. >> and was that the case here? >> i would say that, you know, there is -- the cio, cis would have that responsibility overall. >> okay. who would the cms official be that would have that kind of understanding of i.t. security? was there a person in place? >> yes. they had the cms ciso.

there's several individuals that were responsible for aspects related to security over the healthcare.gov. there is an information security officer that has responsibility for sharing that security control. >> you know, the issues with i.t. security management did not start with healthcare.gov. as a matter of fact, this is a broader government problem that needs to be addressed. don't you think? >> gao has been reporting information security and federal information security as a government-wide high risk area since 1997. so sadly, yes, it's a broad government issue. there have been weaknesses -- as an example, for fiscal year 2013, 18 out of the 24 major

federal agencies covered by the chief financial officers act reported either a material weakness or significant deficiency in their information security controls for financial reported purposes. 21 out of the 24 igs -- they cited information security as a major management challenge. >> so it would be fair to say that all internet facing systems in the federal and private sector involve some risk, is that correct? >> given the nature of the internet and the capabilities and prevalence of hackers who might try to exploit vulnerabilities, yes, the answer is there is risk in conducting online transactions. >> thank you for your responses. mr. chairman, i yield back. >> i thank the gentleman. we go to the gentleman from florida for five minutes.

>> thank you, mr. chairman. i have a copy of your report dated september 2014. in that, you, in fact state gao found -- i think you found that the testing was not complete and that the whole program was rolled out with weaknesses in security and protection of privacy. would that be an accurate statement? gao strongly asserts that testing of the website still remains insecure. is that correct? >> i would say that the testing of healthcare.gov and supporting systems has not been comprehensive. >> even to date, we have risks, is that correct? >> today we have risks. >> security risks, privacy information risks. thank you. the rollout, they actually rolled this out, i saw in the report -- four states had not taken action to secure privacy? >> i would characterize it more

as they had not met cms security requirements. >> right. we'll have those for the record, the states. it's incomplete testing. i see basically a coverup of the failure that took place. did you see any of that? they were trying -- i went through some of these e-mails and some of the record, the committee has. i don't know if you saw this. it looks like quite a coverup or they tried to not let the public know the failure of the rollout and the failure of them to protect this information, is that correct? >> i'm sorry. i could not comment on that, because i have not seen -- >> i can tell you, it's page after page. i mean, i can't even use some of the language used here.

mr. chairman, i would like to have some of this submitted. >> without objection. the entire report will be placed in the record. >> it's astounding, again. this is a blanking disaster. i mean, this is one of the hhs people who saw what was going on at cms. a two-day story that talks about the issues and detailed explanation, but it's stating overwhelming traffic that could have been replicated in testing. one point after another of the coverup. i think unfortunately people like miss tavenner were involved in some of the coverup. did you ever attempt, ma'am, to have any e-mails or records deleted to what was going on in the failure?

>> i'm not aware of the e-mails. i'm not seeing the e-mails you are responding to. i can't answer that. >> i have one e-mail here. you had asked that it, in fact, be deleted. i can supply you with a copy of it. it says, please delete this e-mail. it goes on to detail what was going on, the failure that was going on. first of all, there was a company by the name of circo with a contract of $1.2 billion, is that correct, to process paper applications? >> we retained them. i don't have the amount in front of me. >> again, this e-mail talks about them and the failure of

the proper processing. there were problems with processing the paper applications? congressman, i'm happy to -- you had nothing to do with awarding of a $1.2 billion contract you would tell the committee, too, right? >> i don't understand what -- the question. >> the contract to process paper. here you are talking about -- >> i'm not part of the -- >> here you talk about the problems with the paperwork. you are asking for deleting of information. then i looked into circo. did you know that circo had been awarded the contract of $1.2 billion while they were being investigated? it's a british uk firm and they were being investigated for some fraudulent activities in the uk as they were being awarded a

$1.2 billion contract? >> no, sir, i didn't know that. >> you weren't aware -- >> i think i stated that last year in a hearing. >> any of the background. again, i think we need to put this -- mr. chairman, i would like to put this e-mail in the record where the witness asks that we delete this particular e-mail and the problems with circo. >> without objection, so ordered. >> finally, are you aware that you violate federal law when you asked to delete information like this? >> again, congressman, i would need to see the e-mail. >> we'll provide the witness, if we could. >> we will pause quickly. if you send it down to her. get it quickly down. i would ask unanimous consent to stop the clock and give her an opportunity to read it. thank you. >> just simply, is that your e-mail and did you ask to have

it deleted? it states pretty clearly your intention. mr. chairman, i will defer to you to get a response from the witness. >> this e-mail is from me, yes, sir. that's accurate. and this e-mail was written to julie battai was involved in the call center. this is about the call center information. i think that i asked that she delight this e-mail because it involves sensitive information regarding the president's schedule. and i think that's actually the area that's redacted. but, no, it is not normally my custom to ask -- i sometimes i would ask things be close hold or do not forward. in this case, it involved the president's schedule, if i remember this correctly. >> i would also -- i want the entire content of the e-mail

entered into the record and the reference further down to circo. thank you. yield back. >> briefly, if i could have indulgence. why would the president's schedule after the fact have any relevance to being needed to be deleted? i hear you. the president's schedule becomes very public in real time within a very short period of time. >> so i can't answer the reason to why this was redacted. i didn't make the decision to redact it. that's done by our oversight committee. >> you were surmising it had to do with the president's schedule, it's not all that secretive. it has no relevance for protection after the fact. >> i understand. >> under the federal records act, your communication is to be retained, correct? >> and it was retained. my immediate staff was copied on that. it was retained. >> so deleting it doesn't change

the fact that it had to be retained for the federal records act? >> it is retained. and, in fact, if you are asking about our response, we did that out of an abundance of caution. i didn't necessarily retain e-mails if they related to scheduling changing. going back to the issue of transparency and trying to be forthcoming about information, be decided to notify nora. >> i would hope that the un-redacted versions of all of this would be made available to the gao. and i would ask simply that un-redacted versions be seen by the gao to see if, in fact, it's consistent with what we are hearing. >> a unanimous request. i have articles are circo and people paid to do nothing and circo's checkered past, foreign

company for obamacare and an article, the unhealthy truth about obamacare, contractors. i would like these -- >> without objection, so ordered. >> thank you. >> with that, we will go to the gentleman from pennsylvania for five minutes. >> thank you, mr. chairman. thank you to the witnesses for joining us here today. >> i'm good with that. >> one of the most critical features of the affordable care act is that it expands medicaid eligibility to millions of low-income american adults. prior to the aca, medicaid eligibility was restricted primarily to low-income children, their parents, people with disabilities and seniors. in most states, adults without dependent children were not eligible for medicaid. according to a study issued in april 2014 by the kaiser family

foundation, only about 30% of poor non-elderly adults had medicaid coverage in 2012 and uninsured rates for poor adults were more than double the national average. under the aca, medicaid eligibility can be expanded to cover all non-elderly adults with incomes below 138% of the federal poverty level. administrator tavenner, is that correct? >> yes, sir, i believe that's correct. >> the federal government pays states 100% of the costs for the first three years and then phases that down -- phases its match down to about 90% in 2020. despite this enormous level of federal assistance, more than 20 states have decided not to participate in the expansion leaving millions of their own citizens without healthcare. administrator tavenner, can you

comment on the coverage gap that is resulting from these decisions not to expand medicaid in those states? >> yes, sir. i would start first by saying, with pennsylvania's recent decision, we are now at $27 state, i believe, plus the district of columbia who have decided to expand medicaid. obviously, if you look at a lot of independent studies, there's noticeable difference in the states that have decided to expand medicaid in terms of lowering the number of uninsured. we're going to continue to work with the remaining 20 something. we meet with them on a regular basis to do what we can to encourage folks to expand. >> by not participating, aren't the states that aren't leaving billions of federal dollars on the table that could be used to improve the health of their own

citizens? >> yes, sir, they are. and it's also -- it has economic consequences for those states as well. >> of course. recently, some republican governors, as you have alluded to, who had originally refused to expand medicaid have now reconsidered their original decisions and have submitted medicaid expansion plans for cms's approval. for instance, in my own state of pennsylvania, as you mentioned, they decided to expand medicaid which will now provide health insurance to 600,000 low-income adult individuals in our state. administrator tavenner, how will medicaid expansion in pennsylvania impact the health of its citizens? >> i certainly can get you information from independent studies. but there's a correlation

between coverage of insurance and long-term health improvement. >> good. now, i don't want to leave this question out. other than political posturing by the pennsylvania governor, are you aware of any good reason why 600,000 good pennsylvanians went without coverage for an extra nine months from the rest of the states that expanded medicaid right away? >> no, sir. we want everyone to expand and expand quickly. >> well, administrator tavenner, why do you think republican governors are so divided on the issue of medicaid expansion? >> sir, i can't answer that. i'm not sure. i'm sure each state has their reasons. we try to work with them and meet them where they want to be. >> all right. do you expect to work with additional governors who previously opposed medicaid expansion but are now considering reversing their decisions?

>> absolutely. >> well, i want to say i thank you for coming here today. and i thank you for your testimony. i hope that governors in states that have so far not elected to expand medicaid will reconsider, will consider the impact on their communities to take advantage of this historic opportunity to lift up all of the americans in their states as well. thanks again, administrator tavenner. i yield back. >> would the gentleman yield? okay. at some future time, i'm happy to work with you and explain republican governors to your satisfaction. with that, we go to the gentleman from utah. perhaps a man that will some day be a republican governor. >> reclaiming my time. i thank the chairman and thank you all for being here. s my tavenner, question for you about the oregon elf change.

the american taxpayers put in $304 million to develop that state exchange. now they want to come over and make a transition. did you or anybody at cms conduct a cost benefit analysis to determine that the switch to the federal exchange was the most cost-effective for the taxpayers? >> yes, sir. we did an analysis of what it would cost for us to bring in -- there's two additional states we're bringing in this year, nevada and oregon. and we did -- i wouldn't say it would be a sophisticated analysis, but we did a cost analysis. as you might imagine, we already have 36 states in the exchange adding two more is cost-effective. >> could you share that analysis with us? is that something you could provide to snus. >> certainly. >> what is the additional cost? >> i don't have that in front of me. i'm happy to get it for you. >> what is a good -- when would i raise the flag and say, that's

been long enough? can you give me a sense of the time? >> we should be able to get you that in a few days. >> very good. i appreciate that. >> it's part of our bill that's ongoing. >> a few more questions about that. what's being done to claw back -- there's $304 million. is that money all gone? is there some of that coming back? is somebody going to jail? what's going on with it? >> each state -- again -- >> i want to talk about oregon. >> i think oregon has very actively gone after their contractor. i think that's been in the press. but i'm happy to get you more details. >> what's the federal government doing? it was federal taxpayer dollars, correct, that went into it? >> yes. these were grants awarded to states.

it's between the state and the contractor. so the states are working on that. >> cms, health and human services, department of justice, the federal government, pick your entity, we're doing nothing to claw those back -- claw back those dollar snz. >> i think it's early in the decision making. states are going on the basis of individual contracts. >> but the federal taxpayers give $304 million and we just say, well, it's up to oregon to figure out what to do? >> we are working with the state. >> when we gave these grants, was there no condition or expectation that it would work? was there a deal that said that -- we literally hand them over the money and we don't care what happens? >> what we did are a series of progress reports and requirements with the states. i'm happy to get you that information as well.

>> try to get some degree of specificity. i haven't heard you say we're doing something to try to claw back nearly a third of -- >> what i said is that states are doing that. we're cooperating with states. >> but where is the federal government? >> we're cooperating with states. the contract is between the state -- >> we're just waiting for oregon to tell us something? >> we're working with oregon and other states. that's all i can say right now. >> mr. chairman, i mean, i don't know how -- >> that's what she said. it's all she's going to say. she won't answer your question. >> i know. i think it's something that the congress should look at. we give out 300-plus million dollars and we call it a day and

move on? miss tavenner, is there any criteria or guidance for states who want to drop out and move to our exchange? have you issued or -- how do you evaluate those? do you just say yes? >> well, we obviously have a list of criteria and requirements for the state to move from a state-based exchange to move to the ffm. these entities stay state-based exchanges. they can continue to do marketing, outreach. what we are doing is the support. there are criteria they have to meet. i'm happen my to share that with you. >> in the package -- >> yes. >> in a few days you will share that with me as well? >> we have a lot of documentation. >> thank you. i appreciate it. again, for my colleagues here, i just -- we really have to look at this. it's stunning to think that we would hand out by the hundreds of millions of dollars to states and have no recourse. if it doesn't work, we kind of throw up our hands and say it's up to somebody else to figure it out. that's not the way we should operate. it's pretty stunning and very dissatisfying and doesn't produce results, it's not

responsible, it's not accountable and very frustrating. i yield back. >> i thank the gentleman. we now go to the gentleman from massachusetts who was here first, mr. lynch. >> thank you, mr. chairman. i want to thank the members of the panel for your willingness to come here and help the committee with this work. miss tavenner, generally the way things work is that the private sector has far more resources than often times our government entities, and they are better prepared, better incentivized to keep data secure. that troubles me because i see a list of -- i'm on the financial services committee as well. and we have been dealing with home depot, we have been dealing with target, we have been dealing with j.p. morgan chase, the largest bank in the united

states of america. we are still not sure about the breadth of that breach, but we're concerned about it. we have hearthand payment systems, 134 million people in the united states. kb financial group, 104 million people. global payment systems, 950,000 people to 1.5 million. we're not sure yet. they each breached the iranian banks, about 3 million people. that was probably us who did that. morning star, 184,000 people. city group, 360,000 people. so you have all these big firms, personally j.p. morgan chase, they got some very, very smart people. they have an extreme financial interest as well as a reputational interest to hang on to that data. so i'm just worried with the -- sort of the botched rollout, the difficulty with the state

exchanges, including my state of massachusetts, we have had data breaches related to healthcare. are you sure that you can sit here under oath today and tell me that nobody's breached the healthcare.gov site and that the folks whose healthcare information, tax information, personal information, that it remains secure today as we sit here? >> let me answer that in a couple of ways. i will go back to the chairman's point about transparency as well. i dare say, there's very little that concerns me more on a daily basis than the security of this website for a host of reasons. it's a new project. it's been very, very visible in the press on a daily if not hourly basis. and we did have the difficulty in the rollout. we have even within our limited resources spent a great deal of time and money securing the

website. we have been able to meet standards, omb standards, hippa standards. but i will always worry about the safety and security of the website. we talked about the earlier incident with the malware. yesterday, i was informed of another case not related to healthcare.gov, but an independent site, if you will, that was working with the cloud, with website material, where there was another malware incident. now, there was no personal information. this is something that i don't even have the details of. but these are the types of things that worry me every day. we meet about security weekly. we review -- >> yeah. i'm not hearing the answer to my question. i appreciate all of that, believe me, i really do.

but i only have a minute left. i think you're going to burn all my time here. there's no guarantee that there has been no breach. i don't want to put it that way. you don't seem to be able to give me a guarantee. >> we have had no malicious breach. >> that's fair enough. one of the problems we're having with our credit card issuers -- i'm using this as an analogy, is that for them that is -- that's product. they sell information, i think. sometimes by selling it, they bring on the breach themselves. they also compile it so that these credit card companies have 15, 20 years' worth of data there all sitting there waiting to be hacked. my purchases at home depot ten, 15 years ago are still part of that data grouping.

do we do anything to put firewalls up so that there -- if there is a breach of the medical information that we can somehow limit the damage? >> if you remember the hub, no information is stored on the hub. that was one step. second, we do not keep any medical information. there is some personal information, but we don't have the need for medical information. so that's not stored within the ffm. the only thing that's stored in the ffm itself separate from the hub is the ability to work appeals of cases for people who say i didn't get a tax credit, i should have gotten a tax credit. we keep it minimal.

>> is that tax information in there? >> no. there's not tax information. there can be sometimes people can state their income, but there's not tax information. >> okay. all right. my time has expired. thank you for your indulgence, mr. chairman. >> thank you. thanks for a good round of questioning. we go to mr. meadows. >> thank you, mr. chairman. i'm over here. i want to go ahead -- i will speed through some of these questions. miss tavenner, can you confirm that cms will not change their open enrollment dates? we had so many different dates that changed before.

can you confirm to the american people and really to the providers that those open enrollment dates will not move? >> the open enrollment date for this year is november 15 through february 15. >> those will stay firm? >> yes, sir. >> no changes? >> no changes. >> they can count on it. that's good news. how about window shopping? last time you had to enroll, put your -- i had to go on when i was shopping, i actually had to sign up to be able to figure out what i -- is that going to be available? >> window shopping will be available. you would not have to sign up this year. >> we will be able to compare plans? >> that's right. >> without having to put any personal data? >> yes, sir. >> okay.

great. let me go a little bit further into this. brian sevok has shared testimony with this committee. >> i know who brian is. >> when we were looking out the rollout, he said -- this was him in an e-mail. to your question, how am i feeling about the launch, not good. kind of heart broken. whatever launches, if functional, will only meet the criteria of launching the exchange. it will be riddled with confusing and hard to use compromises. but i don't know. i'm not seeing anything that's being delivered. it's piecing things together kind of through the grapevine. there was not a real communication going on between cms and hhs during the whole healthcare.gov launch? >> i'm not familiar with that e-mail, at least i don't think i

am. >> well, i mean, i guess the question is, was there a whole lot of coordination between hhs and cms technology people going through, because i've been led to believe that hhs only found out really what was going on through informants. >> well, we did weekly updates with hhs on the website. >> so they didn't have to have informants to find out what was going on? >> i can't if brian was in those meetings or not, but i wouldn't think they would need informants. >> okay. did brian recommend to you that the website launch should be delayed because of security testing concerns? >> brian did not recommend to me

that the launch should be delayed. brian did discuss -- >> because he shared with the committee that he did, so, are you sure that he did not say that we should not delay the launch because of security concerns? >> i think i need to finish my sentence. >> my apologize. >> that's all right almost the rest of that sentence is there was a discussion about what would it be possible to beta test or launch a few states as opposed to bring up the entire ffm. and i and the team did not think that was possible. >> and why did you not follow his advice?

>> about the beta site? >> well, about delaying? i mean you say beta site, i say delay, but whether you're right or i'm right, where did you not follow his advice? >> well, i didn't think it was possible the way the ffm was configured to do that, nor did i think it was necessary. >> okay. you shared your testimony, earlier, you shared your res may what part of your resume included an i.t. background, that was his expertise. you sounded like you're a health care provider, not an i.t. expert. >> i'll a health care provider. i have become more of an i.t. expert the last year. >> this was in january, what particular point did your i.t. expert outweigh his? >> taking the recommendations of our i.t. expert team, cms, as well as cms contractors who i felt were a lot closer to this issue than brian. >> okay. so, now we can look backwards and realize that the rollout was a disaster. so, what do you think of your i.t. expertise within cms today? was brian right? we should have delayed it? >> i don't know that brian was right. i know that -- >> was he closer to right than your team? >> not necessarily.

i know that we have come a long way in our launch and as i said earlier, we have 7.3 million people paying premiums -- >> i didn't ask how many had signed up. this is about security and he >> that's true, true of the west coast, too. i just want to note that this is the committee's 29th hearing on the affordable care act and the sixth on the website. oh, come on, please. i want to focus on some very positive things. and that's the cost growth is slowing to historic lows and that was one of the huge challenges that we confronted

the whole time that i've been in congress, is the -- just the whopping cost in health care in our country. now, contrary to some of my colleagues' claims that the affordable care act is causing health care costs to skyrocket, there have been multiple reports recently that show that the growth of health care spending in the united states is slowing to historically low levels. and that is good news for everyone. earlier this year, the centers for medicare and medicaid services issued its national health expenditure report. are you familiar with that report? >> i am familiar with that report. >> well work the report found that national health spending grew by just 3.7% in 2012, a near record low and the fourth consecutive year of slow growth of health care costs. in your opinion, what factors are driving this historically low rate of growth and i'd like the others to chime in, too, if would you like to add to her response. >> i think that we all felt it was a combination of things. certainly, the recession early

on, but as -- as time went by and we continued to see this historic low growth, i think some of the actions in the affordable care act have made a difference and it's an ongoing conversation i have with my actuary and i think he would agree if he were sitting with me, it was both, but the affordable care act made a difference. it's an ongoing conversation and he would agree that it's both. but the affordable care act has made a difference. >> that was outside the scope of my review. >> that is something i have not been involved in as the director of u.s. cert. >> okay. fine. earlier this month, cms released its national health expenditure projections for 2013 through 2023. and according to these estimates, national health expenditures grew just 3.6% in 2013. is that correct? >> i believe that is. >> this is the lowest rate of

growth since the federal government began keeping such statistics, since 1960. i would call this a very positive development in public policy. would you agree? >> i would totally agree. >> what about the next ten years? we are always looking ahead. i know cms projects an uptick in health spending overall due to the large number of people who are newly insured through the affordable care act. but what about per enrollee health costs? >> so, going back to that report, i think the trend is expected to move back up, the number of individuals in medicare and, but i think that stresses the importance of our success in tying together delivery system reform, payment and quality and why that work is critical that we continue. >> well, why will they grow more

slowly than before the affordable care act? >> some of the measures you the in place with the afghanistan, -- the affordable care act, tying payment to outcome, transforming delivery system, which is a work in progress. >> now, the kaiser family foundation recently released an annual employee health benefit survey and this report indicates that the slowdown in health spending also extends to employer-sponsorednsurance. more good news. according to kaiser, premiums in employer-sponsored health plans grew only 3% in 2012. so, i would like to ask you, that's tied for the lowest rate of growth since kaiser started measuring the growth of employer health care plans. do you agree with that?

>> i reviewed the kaiser report, employer insurance tends to see what we are following in medicare and medicare. yes. >> this seems to be very good news for the american consumers and our overall delivery of health care service, so i'm very pleased with these reports. they say numbers don't lie and numbers are showing an improvement. i want to congratulate you and your colleagues for your work to help bring this to the american people. thank you. >> thank you. the gentlelady from california, ms. speer. >> mr. chairman, thank you. i thank you to our witnesses. i want to congratulate you, you have lived through the real life "survivor" show and succeeded. i find the fact that we have engaged in the most thoreau, repetitive implement of the aca as an incredible waste of your time. a lot of good news, as my colleague from new york has underscored and really quite

interesting to me, for the longest time, there were all those who were panning the affordable care act, we will never get the numbers and you were mentioning it earlier, ms. tavenner, 7.3 million subscribers, correct? then the hue and cry was we won't pay for it, pay for one month and won't pay any longer and it will fall on its face. that hasn't been the case either, has it? >> no, ma'am. >> the chairman of the committee and a number of republicans just sent you a letter and i want to read it out loud, one segment of it. "in order to enroll beneficiaries in the exchange, healthcare.gov collects, obtains

and retains massive amounts of personally identifiable information about millions of americans. this information includes social security numbers, personal addresses, income and employment records and tax return records. it is extremely important that cms and the other federal agencies involved in the exchanges properly protect and maintain this sensitive information." now, i actually agree with that statement and i presume you agree with that statement? >> yes, i do. >> and having agreed with that statement, have you, to date, had any signer attacks that resulted in personally identifiable information being stolen? >> we have not had any malicious attacks on the site that have resulted in personal identification being stolen.

as the chairman rightfully brought up earlier, we did have some technical issue on front end that we had that were our own doing that we had to -- >> that's right. but we're in the prent day and let's look to where we are and where we're going. okay. now, meanwhile, target security breach included 110 million americans. potentially affected. you're wear of that? >> i am. >> my staff checked the census website and said the total population of the united states is 319 million. so, more than a third of americans potentially had their personally identifiable information breached, stolen, as a result of that target data breach. there wasn't an interest by this committee to have a hearing on that potentially affecting a third of the american people. see, 110 million people

affected, no hearing. zero people affected, and we've had dozens of hearings. it seems like our priorities are not quite on what the american people would be interested in. now, we do know as a result of target that the hacking came from outside this country, it appears it came from russia or from some region near there. and rather than trying to find out where these hackers are coming from and how we can forestall them, we are going to waste more of your time asking you a number of questions about issues that haven't even impacted. now, some would say, well, accept that's private business. well, how about u.s. is? they have a contract with the federal government. it does security checks and 27,000 people have had their

personal information stolen from usis, a federal contractor and have we had a hearing on that? nope. appears that's not important either. so, i want to just commend you all for recognizing that you have to do this no matter what, come to these committee hearings, you do it with great respect and we appreciate that. i hope we can send you back to do the work that the american people would like you to do and i yield back. >> i'll take my time now. >> we now recognize the gentleman from maryland for five minutes. >> i want to thank all of you for being here today as we come to the end of this hearing. i just -- you may, ms. tavenner and others, you may never hear the full thank yous of people who are going to stay alive because of what you and your

colleagues have done. and i really mean that there are people -- there's a mother who's now going to be alive, may have been suffering from cancer, breast cancer, like the lady in my district, couldn't get treatment. but she's alive, she got treatment. i have a sister that does a lot with breast cancer and they were waiting -- they had women who had been tested and they were waiting for the affordable care act to pass and come into effect so they could get treatment. i have come to you today and to your colleagues to thank you. i tell the story that went affordable care act came up, i had one prayer, i came to the floor early, i came early and sat on the front row and i had one prayer, i said, god do not

let me die before i vote for it. the reason why i have said that is i have seen so many people who were sick and could not get well. you know, johns hopkins is smack tab in middle of my district, great hospital, one of the greatest in the world. people fly from all over the world to come to johns hopkins. and there are people standing on the outside, could not get in, but the treatment was in there. and so, you know, i know your colleagues are looking had on and i just don't -- i know they have been through a lot. and i remember when they -- we had the website problem and many were saying, oh, we can never get through this, so, you know, just so horrible and everybody was warning that everything

would collapse. but you know what i said? this is a can-do nation. this is a can-do nation. and we need to definitely do when it comes to the health of every single american. and i listened to what you said a moment ago about how, day after day, you worry about making sure that people's information is protected. we could not pay you enough or pay your colleagues enough to go through what they have been through and to worry as you have worried and to do everything in your power to be protective of the american people. and yeah, you're gonna be criticized.

yeah, folks are gonna try to do and say all kinds of things about you. but i have come here at this moment to simply say thank you. thank you for my constituents. . thank you for constituents -- our constituents all over this country. and, you know, sometimes i think about illness. and a lot of people -- i wonder if people have not been ill themselves when they see other people in the position of getting sick, or sicker, and dying. i wonder whether or not they've ever been ill. and that troubles me, because i think president obama said it best, and i wish i had coined this phrase myself, he said, sometimes we have an empathy deficit. an empathy deficit. and so i take this moment to thank you, and i have just a few

questions. i'd like to ask you about the attack by the hackers last summer against the website. it was my understanding this attack was not limited to health care dot gov alone, but several targets, is that correct? >> it was a typical kind of malware dropped for denial of service attacks. they were trying to create a botnet to attack. so they use them for those types of attacks. >> the hackers were able to place malware on a server, but it was a test server, it did not have any personal information, is that correct? >> based upon the analysis that our team did, it was our test that we did. the default password hadn't been updated.

>> as i understand it, the type of malware called denial of service, malware, which is designed to spill down, or even shut down a system, but not extract information, is that right? >> correct. the malware is to use the resource of the server as part of this botnet. it wasn't charging the server, but using the server for another victim. >> why are these kinds of denial of service -- >> pardon me? >> how common are they? >> they happen every day across the globe on the internet. >> so the bottom line is that at least as of now, no personal information was transmitted outside the agency, correct? >> that's correct. it was discovered by cms. we looked at the images that were provided. there was no infiltration of data, or loss of pii. this is a separate network. so there was no lateral movement

into the production associated with this activity. >> thank you. >> thank you. >> well, i guess i've still got more questions. but let me just make some statements, and then i'll ask a couple more questions. miss speier has left, and it's unfortunate because mr. lynch was here earlier. it was asked when are we going to hold all these hearings, and mr. lynch is in the financial services committee, and they've held hearings because they oversee the financial community, meaning home depot, target, these other companies that we're referring to, these all fall under that committee's primary oversight. because these were financial transaction related. my staff also mentions that the federal trade commission, the department of justice, the cfpd and fdic also are looking into each and every one of those. so with tens of millions of dollars, countless agencies and individuals looking at each of

these, the question is, miss tavenner, who's been looking at you? mr. wilshusen? in a nutshell, what you said in the beginning was, they didn't have strong passwords. so somebody could put in a short password and not change it, is that correct? >> that's correct. we identified several tactical security control weaknesses with healthcare.gov and supporting systems. >> so they didn't create a huge vulnerability -- >> if they used a weak password that could be easily guessed, that could be increased risk. >> so marilyn and her birthday, if that were used, would have been easy to guess, certainly would have been tried. did they have advance lockout systems in detection and reporting? >> one of the things -- i don't want to get too detailed into the security controls, so we don't give any -- >> we don't want to tell how weak it still is. so i will be a little careful on

that. but there are techniques that if they were in place would have been much more secure. >> sure. and the weaknesses that we identify are all -- can be corrected and resolved almost immediately. >> so what you found a year into this site was they were not using best practices? >> we identified several weaknesses that increased the risk, and unnecessarily increased preventable risk. >> we take huge premium for cios, senior executive service, we, the congress, have authorized special high pay, quarter of a million dollars and more to get people with special experti expertise. you're telling us a year into this site they simply have not put in what people consider best practices in some cases, including requirement for strong password and periodic changing of them, and the lack of redundancy on passwords, common things that protect sites, right. >> those things should be done,

yes. >> it's amazing that target, home depot had those kind of protections, but there was a malicious attack from a foreign nation with advanced tools. some of those tools being exactly the same tools that our cia and saa use to go after the worst of the worst and we succeed all the time. what i'm finding here today is everyone wants to talk about organizations that employ in many cases best practices, that did their best and were targeted by very advanced networks, networks that may have even had the kgb successor help them attack. and they want to talk about those rather than a lack of common sense, simple practices to a secure website, isn't that true? >> i would say that probably the majority of federal are incidents that occur within the federal government could be resolved, perhaps prevented if agencies practiced strong cybersecurity. there's always going to be a risk that you come across an

entity, a foreign intelligence service that has very sophisticated techniques that may be difficult to protect against. at least to prevent. but by and large, many security incidents could be corrected, and prevented if the agencies practice strong control. >> even without seeing the 13 come pro mileses that occurred, you were able to make and cms accepted a lot of suggestions to improve the site here today? >> we looked at the security controls over those devices that we looked at. and identified vulnerabilities that could be corrected. and cms concurred with each of the 22 technical recommendations that we're making. >> so all of the talk about this robust team, all of those experts brought in from silicon valley, special people that worked on the president's reelection, all those people had missed those 22 points? >> that, i can't answer in terms of -- >> but when you suggested these, did they say, oh, we already

were doing them and just forgot or we weren't doing them and now we will? >> we identified them during the course of our review and they said they will implement -- >> you're very kind. >> will the gentleman yield for one quick point? >> go ahead. >> a lot has been talked about in terms of the different sites and home depot and target, and i was one of those that shopped at target and i have a new credit card today. there are two distinct differences. one is, i'm not compelled by law to shop at target. i am compelled by law to sign up for obamacare. there's a huge difference. mr. chairman, what happens is, is that those are voluntary transactions. of which i don't have to give my social security number to them. i give them a credit card and i do a transaction. it's very different for

healthcare.gov. >> i thank the gentleman. we now go to the gentlelady from new mexico for a round of questioning. >> mr. chairman, thank you very much for recognizing me. and i want to thank the panel here today. and i share many of my colleagues' concerns that we should be doing the very best to protect information, and certainly we've wed in the private sector world in hipaa and related requirements, security protections and working diligently and tirelessly to make sure that patient protection, patient privacy and now financial information must be protected. and i think that the point is important that every person must sign up and be insured through the affordable care act. and i want to just read this, because i think it bears in the context of this hearing, i think it bears repeating. so in gao in the march 2013

report, found that the federal government continues to face cybersecurity challenges. including designing and implementing risk-based cybersecurity programs at federal agent situation. establishing and identifying standards for critical infrastructures, and detecting and responding to and mitigating cyber incidents. and since that report, we've got 28 gao additional recommendations. and i know that we've been talking about today in this hearing. in fact, gao has designated federal information security as a high-risk area in the federal government since 1997. and i think that there isn't anyone on this committee, or anyone in congress, or the public that doesn't think that more should be done. and in fact, that we embrace every potential positive, productive recommendation moving forward. so