administrator tavenner, is that correct? >> yes, sir, i believe it is correct. >> all right. so the federal government pays states 100% of the costs for the first three years. and then phases that down -- phases its match down to about 90% in 2020, despite this enormous level of federal assistance. more than 20 states have decided not to participate in the expansion, leaving millions of their own citizens without health care. administrator tavenner, can you comment on the coverage gap that is resulting from these decisions not to expand medicaid in those states? >> yes, sir. i would start, first, by saying with pennsylvania's recent decision, we are now at 27 states i believe, plus the

district of columbia whose decided to expand medicaid. and obviously, if you look at a lot of independent studies, there's noticeable difference in the states that have decided to expand medicaid, in terms of lowering the number of uninsured. we're going to continue to work with those remaining 20 something, and we meet with them on a regular basis to do what we can to encourage folks to expand. by not participating, aren't the states leaving billions of federal dollars on the table that could be used to improve the health of their own citizens? >> yes, sir. they are. and it's also -- has economic consequences for those states as well. >> of course. now, recently, some republican governors as you've alluded to who had originally refused to expand medicaid have now reconsidered their original decisions and have submitted medicaid expansion plans for cms' approval, for instance, in my own state of pennsylvania, as

you mentioned, they decided to expand medicaid which will now provide health insurance to 600,000 low-income adult individuals in our state. administrator tavenner, how will medicaid expansion in pennsylvania impact the health of its citizens? >> i certainly can get you information from independent studies, but there's a definite correlation between coverage of insurance and long-term health improvement. >> good. now, i don't want to leave this question out, other than political posturing by the pennsylvania governor, are you aware of any good reason why 600,000 good pennsylvanians went without coverage for an extra nine months from the rest of the states that expanded medicaid right away? >> no, sir. we want everyone to expand and

expand quickly. >> well, administrator tavenner, why do you think republican governors are so divided on the issue of medicaid expansion? >> sir, i can't answer that. i'm not sure. i'm sure each state has their reasons, we just try to work with them and meet them were he they want to be. >> do you plan to work with other governors who want to reverse their decisions? >> absolutely. >> i want to say, i thank you for coming here today. i thank you for your testimony. i hope that governors in states who have not elected to expand medicaid will reconsider. will reconsider the impact on their communities, will take advantage of this historic opportunity to lift up all of the americans in their states as well. thanks again, administrator tavenner, and i field back. >> would the gentleman yield? >> okay.

at some future time, i'm happy to work with you and explain republican governors to your satisfaction. with that, we go to the governor of utah, perhaps a man who will some day be a republican governor for five minutes. >> reclaiming my time. i thank the chairman and thank you all for being here. miss tavenner, questions for you about the oregon exchange, the american taxpayers put in some $304 million to develop that state exchange. now, they want to come over and make a transition. did you or anybody at cms conduct a cost benefit analysis to determine that the switch to the federal exchange was the most cost effective for the taxpayers? >> yes, sir, we did an analysis of what it would cost for us to bring in two additional states we're bringing in this year, nevada and oregon.

and we did, i wouldn't say it would be a sophisticated analysis, but we did a cost analysis, which you might imagine, we already have 36 states in the exchange. adding two more is cost effective. >> could you share that analysis with us? is that something you could provide to us? >> certainly. >> what is the additional cost? >> i don't have that in front of me, but i'm happy do get it for you. >> when's is a good time -- when would i raise the flag and say that's been long enough? can you give me a sense of the time? i'm sorry -- >> we should be able to get you that in a few days. >> very good. >> i appreciate that. >> it's part of our bill that's ongoing. >> a few more questions about it. what's being done to claw back -- i mean, there's $304 million. is that money all gone? is there some of that coming back? is somebody going to jail?

what's going on with it? >> sir, each day -- >> i want to talk specifically about oregon. that seems to be the most egregious. >> i think oregon has very actively gone after their contractor, and i think that's been in the press. but i'm happy to get you more detail. >> what's the federal government doing. it's federal taxpayer dollars, correct that went into it. >> yeah, these are actually grants awarded the states. so the contract is between the states and the contractor. so the states are working that initially. >> cms, health and human services, department of justice, the federal government. pick your entity. we're doing nothing to claw those back -- claw back those dollars? >> ultimately, i think it's a little early in the decisionmaking right now. states are going after on the basis of individual contracts. >> but the federal taxpayers give $304 million. and we just say well, it's up to oregon to figure out what to do.

>> we're obviously working with the state. >> when we gave these grants, was there no condition or expectation that it would work. was there a deal that set -- we just literally handed over the money and we don't care what happens. i mean, ultimately, it didn't work, correct. >>. >> what we did was a series of progress reports and requirements with the states. and i'm happy to get you that information as well. >> i'm just trying to get some degree of sfpecificity. i haven't heard you say anything yet that you're trying to claw back -- >> we're doing it with the states. >> where is thecontracting with >> so we're just waiting for oregon to do something? >> we're working with oregon and other states. that's all i can say right now. >> and mr. chairman -- >> just what she said is all

she's going to say. she won't answer your question. >> i know. it's something that congress legitimately should look at. we give out 300-plus million dollars and we just call it a day and move on? miss tavenner, is there any criteria or guidance for states who want to drop out and move to our exchange? have you issued? how do you evaluate those, or do you just say yes? >> well, we obviously have a list of criteria and requirements from the state to move from the state-based exchange to move to the ffm. these entities stay state-based exchanges. they can continue to do their marketing. they're outreach. what we're doing is the ffm support. and there are criteria they have to meet for us to move them back in the system so i'm happy to share them with you. >> so you can in that package -- in a few days you'll share that as well. i appreciate that. >> we have a lot of documentation. >> thank you, i appreciate that.

again, for my colleagues here, i just -- we really have to look at this. it's stunning to think that we would hand out by the hundreds of millions of dollars to states and have no recourse. and if it doesn't work, we just kind of throw up our hands and say well, it's up to somebody else to figure it out. that's not the way we should operate. it's pretty stunning and very dissatisfying. and it doesn't produce results. it's not responsible, it's not accountable and very frustrating. i yield back. >> thank you, gentlemen. we now go to the gentleman from massachusetts who was here first. mr. lynch. >> thank you, florimr. chairman. >> i want to thank the members of the panel for your willingness to come here and help with the work. miss tavenner, generally, the way things work is that the private sector has far more resources than oftentimes our government entities.

and they are better prepared, better incentivized to keep data secure. and that troubles me, because i see a list of -- i'm also on the financial services committee as well. and we've been dealing with home depot, we've been dealing with target. we've been dealing with jpmorgan chase, the largest bank in the united states. we're still not sure about the breadth of that breach, but we're concerned about it. we have heartland payment systems. that was 134 million people in the united states. k.b. financial group, 104 million people. global payment systems, 950,000 people. to 1.5 million, we're not sure yet. they even breached the iranian banks, about 3 million people, that was probably us who did

that. morningstar, 184,000 people. citigroup, 360,000 people. so you've got all of these big firms, especially jpmorgan chase. they got some very, very smart people. they have an extreme financial interest, as well as a republicational interest to hang on to that data. so i'm just worried, with the sort of the botched rollout, the difficulty with the state exchanges, including my state of massachusetts. we've had a bunch of data breaches related to health care. are you sure you can sit here today under oath and tell me that nobody has breached the healthcare.gov site. and the folks whose health care information, tax information, personal information, that it

remains secure today as we sit here? >> so, let me answer that in a couple of ways and then i'll go back to the chairman's point about transparency as well. i daresay there's very little that concerns me on a daily basis than the security of this website for a host of reasons. it's a new project, it's been very, very visible in the press, on a daily, if not hourly basis. and we do have the difficulty in the rollout. we have, even within our limited resources, spent a great deal of time and money securing the website. we've been able to meet business standards, omb standards, hipaa standards. but i will always worry about the safety and security of the website. we talked about the earlier incident with the malware. and yesterday, i was informed of another case, not related to

healthcare.gov, but an independent site, if you will that was working with the cloud. with website material, where there was another malware incident. now, there was no personal information, this is something i don't have the details of. these are the types of things that worry me every day. we read about security weekly. >> yeah, i'm not hearing the answer to my question. and i appreciate all of that, believe me, i really do. i only have a minute left. i think you're going to burn all my time here. so there's no guarantee that there's been no breach. i don't want to put it that way, but you don't seem to be able to give me a guarantee. >> well, today, we have nonmalicious breach. we have no breach of personal information. >> that's fair enough. let me ask you, one of the problems we've had with credit

car users, i'm using this as an analogy, for them, you know, that is product. they sell information, i think. sometimes by selling it, they bring on the breach themselves. but they also compile it, so that these credit card companies have 15, 20 years worth of data all sitting there waiting to be hacked. so my purchases at home depot, 10, 15 years ago, is still part of that data grouping. do we do anything to put firewalls up so that if there is a breach of the medical information, that we can somehow limit the damage? >> sir, first of all, yes. part of the design of the system, if you remember the hub, no information is stored on the hub. so that was one step.

second we do not keep any medical information. there is some personal information, but we don't have a need for medical service, so that's not stored within the ffm. the only thing that's stored in the ffm itself separate from the hub is the ability to work the appeals of cases for people who say i didn't get a tax credit, i should have gotten a tax credit. so we keep it minimal. >> is that tax information in there? >> no, there's not tax information. sometimes, people can state their income, but there's not tax information there. >> all right. my time has expired. thank you for your indulgence, mr. chairman. >> thank you, thanks for a very good round of questioning. we now go to mr. meadows. >> thank you, mr. chairman. i'm over here. i want to go ahead and i'll speed through some of these questions. miss tavenner, can you confirm cms will not change their open

enrollment dates? i know we had so many different dates that changed before. you can confirm to the american people and really the providers that those open enrollment dates will not move? >> the open enrollment date is november 15th to february 15th. >> and those will stay firm? >> yes, sir. >> no changes? >> no changes. >> that's good news. how about window shopping. last time you had to actually enroll put your -- i had to go on, when i was shopping, i actually had to sign up to be able to figure out what i want. is that going to be available? >> window shopping will be available and you would not have to sign up this year. >> so we're able to compare plans without putting in any personal data? >> yes, sir. >> okay. let me go further into this, brian sebak has come and shared information with this committee.

are you familiar with who he is at hhs? >> i know who brian is, yes. >> when we were looking at the rollout, this is him in an e-mail, so to your question how am i feeling about the launch, not good. kind of heartbroken, actually. whatever launches if functional will only technically meet the criteria of launching the exchange. it will be riddled with confusing and hard-used compromises, but i really don't know. i'm not seeing anything that's delivered. it's just piecing things together, coming through the grapevine. so there was not a real communication going on between cms and hhs during the whole healthcare.gov launch. >> i'm not familiar with that e-mail, at least i don't think i am. >> so, i mean, i guess the question was, was there a whole lot of coordination between hhs and cms, technology people, going through. because i've been led to believe

that hhs only found out really what was going on through informants? >> well, we did weekly updates with hhs on the website. >> so they didn't have to have informants to find out what was going jon. >> i can't remember if brian was in those meetings or not but i wouldn't think they'd need informant. >> did brian represent to you that the website launch should be delayed because of security testing concerns? >> brian did not recommend to me that the launch should be delayed. brian did discuss -- >> because he shared with the committee that he did. are you sure that he did not say that we should not delay the launch because of security -- >> i think i need to finish my sentence. >> my apologies. >> that's all right. the rest of that sentence is, there was a discussion about would it be possible to beta test or launch a few states, as opposed to bringing up the entire ffm and i and the team

did not think that was possible. >> and why did you not follow his advice? >> about the beta site? >> well, about delaying it. i mean, you say beta site. i say delay. but whether you're right or i'm right, why did you not follow his advice? >> well, i didn't think that it was possible the way that the ffm was configured to do that. >> okay. you shared your testimony earlier, you shared your resume. what part of your resume included i.t. background? because that was his expertise. you sounded like you're a health care provider not an i.t. expert? >> well i am a health care provider. i've probably become more of an i.t. expert in the last year. >> this was in january. at what particular point did your i.t. expert -- >> actually taking the recommendations of our i.t. expert team inside cms and cms contractors who i felt were a

lot closer to this issue than brian. >> so now we can look backwards and realize that the rollout was a disaster. so what do you think of your i.t. expertise within cms today? was brian right, we should some delayed it? >> i don't know that brian was right i know that -- >> was he closer to right than your team? >> not necessarily. i know that we have come a long way in our launch. and i know as i said earlier we have 7.3 million people paying premiums. >> this is about security. and he had a concern in january about security. and yet, you ignored his advice. why would that have been? >> because i had my own i.t. team who conveyed to me that they were confident in the project. >> i yield back, i'm out of time. >> if either of the other witnesses want to comment on the answer to the gentleman's question about a year ago was the site ready and should it

have launched in retrospect. >> well, i would just say that at the time of launch cms increased risk from a security perspective. >> not having reviewed the data that the cms i.t. team had i wouldn't feel comfortable with that. i think it's important to have eyes on the project and be part of the team to make these decisions. it's very difficult as a third party participant to make that kind of assessment without the actual knowledge and data. >> as a former businessman, i would say a site that couldn't accommodate a few hundred people simultaneously signing on and people waiting for weeks or months, security wasn't the reason that should not have launched, but i appreciate you're here on security for the day. for the gentle lady from new york, a place where i.t.

comes first for many of her constituents recognized. >> that's true. i just want to point this is the 29th meeting on the affordable care website and the sixth on the website. come on, please. i want to focus on positive things. that's because the cost growth is slowing to historic lows. that was one of the huge challenges that i confronted the whole time i've been in congress. just the whopping cost of health care in our country. contrary to some of my colleagues' claims that the affordable care act is causing health care costs to skyrocket, there have been multiple reports recently that show that the growth of health care spending in the united states is slowing to historically low levels. and that is good news for everyone. administrator tavenner, earlier,

the services for medicare and medicaid services issued it's health expenditure report. are you familiar with that report? >> i am familiar with that report. >> the report found that national health spending group by just 3.7% in 2012, a near record low and the fourth consecutive year of slow growth of health care costs. in your opinion, what factors are driving this historically low rate of growth? and i'd like the others to chime in, too, if you'd like to add to her response. >> i think that we all felt it was a combination of things. certainly, the recession early on. and but as time went by and we continues to see the historic low growth and i think some of the actions in the affordable care act have made a difference. it's an ongoing difference i have with my actuary, i think

you would agree with me if you were sitting here that affordable care. >> that outside my scope. >> any comment, miss barron? >> that's something that is outside the direction of the scope. >> thank you. cms announced projections for 2013 through 2023. and according to these estimates, national health expenditures grew just 3.6% in 2013. is that correct? >> i believe that is. >> this is the lowest great of growth since the federal government began keeping such statistics since 1960. i would call this a very positive development in public policy, would you agrees? >> i would certainly agree. >> what about the next ten years? we're always looking ahead. i know cms projects an uptick in health spending overall due to

the large number of people who are newly insured through the affordable care act. but what about her enrollee health costs? >> so, we're going back to that report. i think the trend is expected to move back up with a number of individuals in medicare and other. but i think that stresses the importance of our success and tying together delivery system reform. payment and quality. and while that work is critical that we continue. >> well, why will they grow more slowly than before the affordable care act? >> i think because of some of measures we've put in place before the affordable care act. such as time payment to outcome. looking at things like organizations kind of transforming delivery system which is a work in progress. >> now the keiser foundation recently released an annual employee health benefit survey. this report indicates that the

slowdown and health spending also extends to employers' sponsored insurance. and more good news. and according to keiser, premiums in explormployer-spons programs continued since 2012. is that report, correct? do you agree with the keiser report with the data you've been, looking at? >> yes, i've reviewed the keiser report. and employer insurance does tend to follow what we're seeing in medicare and medicaid, yes? >> well, this seems to be very good news for the american consumers in the overall delivery of health care service. i'm very pleased with the reports. and what do they say -- numbers don't lie. it's showing an improvement. so i want to congratulate you and your colleagues who helped bring this to the american

people. thank you. >> thank you. >> thank you. the gentle lady from california, miss spear. >> thank you, first of all, i'd like to congratulate you. you have lived through the real life "survivor" show and have succeeded. i find the fact that we have engaged in the most thorough, repetitive review of the implementation of aca as an incredible waste of your time. now, there's a lot of good news as my good colleague from new york has just underscored. and it's really quite interesting to me that for the longest time there were all those who were panning the affordable care act saying we'll never get the numbers. and lo and behold, you announced

it earlier, miss tavenner, i believe, over 7.3 million subscribers, correct? and then the hue and cry is they won't pay for it and they'll fall on their face. that hasn't been the case, has it? >> no. >> the chairman of the committee and a number of republicans sent you a letter and i want to read one segment. in order to enroll beneficiaries in the exchange, healthcare.gov collects and remains mastiff amounts of personal identifiable information about millions of americans. it includes employment, income and tax records. it is extremely importance that cms and other federal agencies involved in the exchanges properly protect and maintain

this sensitive information. now, i actually agree with that statement. i presume that you agree with that statement? >> yes, i do. >> and having agreed with that statement, have you to date had any cyberattacks that have resulted in personally identifiable information being stolen? >> we have not had any malicious attacks on the site but as the chairman brought up earlier, we did have technical issues on the front end that we had that were our own doing. >> that's right. we're in the present day and let's look to where we are. meanwhile, target's security breach included 110 million americans that were potentially affected. that's $110 million. you're certainly aware of that.

>> yes, i am. >> my staff checked the website and it said the total population of the united states is $19 million. so more than a 30 of americans personally had that information breached, stolen, as a result of that target data breach, but strangely, there wasn't any interest by this committee to have a hearing on that. affecting potentially a third of the american people. see, 110 million people and no hearing. zero people affected, and we've had dozens of hearings. it seems like our priorities are not quite on what the american people would be interested in. now, we do know, as a result of target, that the hacking came from outside this country. it appears it came from russia.

or from some region near there. and rather than trying to find out where these hackers are coming from and how we have forestall them, we're going to waste more of your time asking you, a number of questions, about issues that haven't even impacted -- now, should would say, except that's a private business. how about usia. usis has a contract with the federal government, it does security checks. and 20,000 people have had their personal information stolen from usis, the federal contractor, and have we had a hearing on that? no, that's not important either. so i just want to commend you all that for recognizing that

you can come here to these hearings, i hope we can send you back to work to do the work that the american people would like you to do. i yield back. >> we now recognize the gentleman from maryland for five minutes. >> i want to thank all of you for being here today, as we come to the end of this hearing. le i just -- you may, miss tavenner and others, you may never hear the full thank yous of people who are going to stay alive. because of what you and your colleagues have done. and i really mean that. there are people -- there's a mother who's now going to be alive, that may have been suffering from cancer, breast cancer, a lady in my district. couldn't get treatment. but she's alive, she got treatment.

i have a sister that does a lot in the area of breast cancer, and they were waiting -- they had women who had been tested. and they were waiting for the affordable care act to pass and to come into effect so they could get treatment. i have come to you today and to your colleagues to thank you. i tell the story that when the affordable care act came up, i had one prayer. i came to the floor early, i sat on the front row and i had one prayer. i said, god, do let me die before i vote for it. and the reason i've said that is because i've seen so many people who were sick and could not yet well. you know, johns hopkins is smack

dab in the middle of my district. great hospital. one of the greatest in the world. people fly from all over the world to come to johns hopkins. and there are people standing on the outside, could not get in. but the treatment was in there. and so, you know, i know your colleagues are looking on -- and i just don't want -- i know they've been through a lot. and i remember when we had the website problem. and many were saying, oh, we can never get through this. you know, this is just so horrible. and everybody was warning that everything would collapse. you know what i said, this is a can-do nation. this is a can-do nation. and we need to definitely do when it comes to the health of every single american.

and i listed to what you said a moment ago about how day after day you worry about making sure that people's information is protected. we could not pay you enough, or pay your colleagues enough to go through what they have been through and to worry as you have worried and to do everything in your power to be protective of the american people. and, yeah, you're going to be criticized. yeah, folks are going to try to say all kinds of things about you. but i have come here, at this moment, to simply say thank you. thank you for my constituents. thank you for constituents, our constituents all over this country. and, you know, sometimes i think

about illness, and a lot of people -- i wonder if people had not been will themselves when they see other people in the position of getting sick is or sicker and dying. i wonder whether or not they have ever been ill. and that troubles me, because i think president obama said it best and i wish i have coined this phrase myself. he said, sometimes we have an empathy deficit. an empathy deficit. and so, i take this moment to thank you and i just have a few questions. i'd like to ask you about the attack by the hackers last summer against healthcare.gov. it's my understanding that this attack was not limited to healthcare.gov alone but included a broader universe of targets, is that right? >> so based upon the analysis that our team did, it was a

typical pint of maller that's dropped for cyberattacks. so basically they're trying to use a denial mode. >> the hackers what able to place malware on a server, but it was a test server? >> it was a test server that was deployed and out of box configuration, meaning that the pass word hadn't been updated. >> assigned it, the type of issue is malware of symptoms, designed to not exact information, correct? >> correct, the malware is to use resource of the service for

the botnic for the other victim. >> how common are the attacks? >> very frequently, they happen every day across the globe on the internet, they occur. >> so the bottom line is, at least as of no, no personal information was transmitted outside the agency, is that right? >> correct. the breach was alerted to us. there was no loss of data or pii. due to the separation of the network, this is stuff and separate from the production network. >> thank you. >> thank you. >> well, i guess i still got more questions, but let me just make some statements and then i'll ask a couple more questions. you know, miss spieer has left, and it's unfortunate because mr. lynch was here earlier, they

were asking when are they going to hold hearings, and they forgot that mr. lynch was on the committee for home depot, target, those fall under that employee's site. my staff also mentioned the department of just, the fdic are looking into each and every one of those. with tens of millions of dollars, countless agencies and individuals looking into each of these. my question is, miss tavenner, who's been looking at you? mr. wilshusen, in a nutshell, one of the things you said, they didn't have strong passwords. somebody could put in a short password and not change it, is that correct?

>> that's correct, we recognize several control weaknesses with healthcare.gov. >> so somebody who didn't create a pass wort had a high level of service. >> if they used the password. >> so marilyn and her birthday if that were used would be easily tested? do they have lockout with control? >> we don't want to give information. >> we don't want to tell how weak it is. so i'll be careful on that. but there are techniques that are in place would have been much more secure. >> sure. and the weaknesses that we identify are all -- can be corrected and resolved almost immediately. >> so what you found a year into the site, they were not using best practices? >> we identified several

weaknesses that increased the risk. >> we page a huge premium for cios, executive in congress. we have ordered certain pay to get expertise and we've had some before this committee. you're telling us, a year into the site, they have not put in what people would consider best practices. which is a strong password and period click changing of them. and a look of reduncecy. >> those things should be done. >> you know it's amazing target and home depot had those kind of measures. some of the tools being exactly the same tools that our cia used. so what i'm finding here today

everyone wants to talk about organizations that employed in cases best practices. and were targeted by criminal networks. networks that may have had the kgb successor helping them with the hack. they want to talk about that, the common sense simple practices to secure website, isn't that true. >> i would say probably the majority of incidents within the federal government could be resolved if the agency would practice strong cybersecurity. there's always a risk when you come across an entity, a foreign intelligence service has that sophisticated techniques at least to prevent but by and large, many security incidents could be corrected and prevented in the agencies practiced strong security control. >> and now even without seeing the 13 compromises that occurred, you were able to make

and cms accepted a lot of suggests that are improving the site today. >> we looked at the security controls over those devices and identified vulnerables and cms concurs with the 22 recommendations we're making. >> all of the experts brought in from silicon valley, all of those people missed the 22 points. >> that i can't answer that. >> did they say, oh, we were already doing them and we forgot or did they just say we're not doing them? >> i think they excepted our fi finding expectations. >> would the gentleman yield for bun quick one. a lot has been talked about in

terms of the different sites and home depot and target. and i was one of those that shopped at target, and i have a new credit card today. there are two distinct differences. one is i'm not compelled by law to shop at target. i am compelled by law to sign up for obama care. there's a huge difference. mr. chairman, what happens is that those are voluntary transactions of which i don't have to give my social security number to them. i give them a credit card and i do a transsection. it's very different for healthcare.gov. >> we now go to the general lady from new mexico who has arrived for a round of questioning. >> mr. chairman, thank you very much for recognizing me. i want to thank the panel here today. i share my colleagues's concerns that we should be doing the very

west to protect information. and certainly, we've led in the private sector world with hipaa and related requirements. security suggestions and working tirelessly to make sure patient privacy and now financial information must be protected. i that the point that is important, every person must sign up and be uninsured through the comfortable care act. i want to read this, in the context of this hearing, i think it bears repeating. in gao, the 2013 report found that the federal government continues to face cybersecurity challenges. including and implementing risk-based cybercommunity programs at several agencies. establishing infravurs and detecting and mitigating

cyberincidents. and since that report, we've got 28 gao additional recommendations. i know that we've been talking about today in this hearing. in fact, gao has designated federal information security as a high-risk area. in the federal government, since 1997. and i think that isn't anyone on this in the, or anyone in congress or the public that doesn't think more should be done. the fact that we approach every positive recommendation moving forward. so given that, and miss tavenner, knowing that the coming from millions of americans who will be shopping on the exchanges, how confident are you with others to ensure the protection? >> yes, ma'am, let me start with the 22 technical

recommendations. 19 of those will be resolved, further mitigated prior to that. number six, we're in the process of having completed those or will complete those prior to open enrollment. >> and based on the 19 that you've identifies, miss tavenner, and the remaining measures to implement, you are confidentiality, not only are they limited, but they would be adifferent degree. those hostile or 234eg tiff and intend to access information for their own ways will be find ways to do that. i want to make sure we do everything that we know that mitigates and gives an opportunity to detect when there's a problem. you're confident these will be tested and in place by the open

enrollment period? >> i am confident. i work with homeland security, gao, aig, will always be looking for improvements. >> i appreciate that, given that we're working on another issue in my state, i appreciate your attention to that. and you're coming, mr. chairman -- we're working on a behavorial health issue. to me, it all ties to make sure that consumers have a way been protecting the citizens. it's clear that your committee and oversight is paramount to the work that you do. and the access to health care is only as good in making sure that the protections required by law are in fact in place and they can go to cms and i appreciate

that. >> thank you. >> miss tavenner, i want to ask you a question for what i think i just heard. and i agree with what my colleague said. you said there were six recommendations left. >> there were six major recommendations. and we're in the process of completing those. and some of them are done, and the answer to those would be all would be done prior to open enrollment. >> enrollment starts when? >> november 15th. >> would you let us know officially when they are done? >> yes, sir, i think -- >> for the chairman and myself. i'd really appreciate that. >> can the gentle lady further yield. the general report is you didn't agree to all six.

you now do? >> i think we partially concurred. we're getting the work done. there were some things, for instance, there was a difference that wasn't an action we would change, but we understand where they're coming from. we just have a different way of getting the security testing done. the rest of these things, such as the privacy impact statement, we will have that done. that was a documentation issue. the computer matching agreements with peace corps and opm, we'll get that done before open enrollment. also a security agreement governing equifax, we agreed with that. we'll complete that. of the 2 technical recommendations, we've done 19. the others we're reviewing. i'll be happy to do something in writing back to the chairman, and to the -- >> i think we both would proesht it. gentleman from north carolina. >> i wanted to follow up on one thing, miss tavenner.

and it really, as we start to focus on some of these other issues, it takes our eyes off of the core issue. and that's what the ranking member was talking about, is providing health care, really, to the american public. and that's your primary responsibility. i can tell that you take that seriously. it is a distraction, to say the least, when we have a billion dollars spent on a website that doesn't work, security issues that are there. but along that same time, there was a rule that came out with regards to medicare part "d" in january. that -- a rule that would really limited some of the options of our seniors. a rule that you came, much to your credit, and said, we're not going to do. and i want to say thank you for doing that on behalf of millions of senior citizens who would

have seen choices limited. do i have your assurances here today that we are not going to put forth a rule that is similar in nature to that rule that was brought back? i very rarely have an opportunity to have you in a public forum under oath, so on behalf of millions of americans, do i have your assurances that we're not going to do it? i think you made a good decision. my mom, who's a senior citizen, thinks that you made a good decision. so do i have your assurances that we will not see a similar rule? >> i'm not interested in bringing back the pieces that we pulled. >> okay. that's a good almost answer. so, do i have your assurances, yes or no -- >> you have my assurances i won't bring back the things i just pulled. how about that? i don't have -- >> or something similar. let me tell you the reason why.

and it gets back to cbo indicates that much of the reason that it is working so well is the competitive nature that we have. i mean, that's what the study says. and yet we're going to limit competition. we're going to limit options for our seniors. some cancer, some anti-de press ant, some anti-epileptic. these are serious things. and so you and i can banter back and forth, but really what i need is on behalf of the american people, your assurances here today that that's not going to happen? >> now you're bringing in specifics. i'm not interested in bringing back the drug categories if that's the question. i am interested in promoting competition, promoting private market. and i think we've tried to do that with the marketplace rules as well. we would continue to work with that. >> we're not going to limit competition and we're not going to narrow what people can get? >> that would be my preference,

yes, sir. >> that's your assurance? >> that's my assurance. >> all right. thank you. i yield back. >> could you yield to me? >> sure. be glad to. >> briefly, item 4 from the gao says, perform a comprehensive security assessment of the ffm, including the infrastructure platform and employed software elements. now, initially, that is one you said no to. are you saying you will perform that full systemwide test and have it done by november 15th? because that's sort of the one that gao couldn't -- we can't know what we don't know until you do that, is that right? >> the mike, please. >> we get into a discussion of style here. it is our intention, and we will complete a full end-to-end assessment -- security assessment prior to enrollment, yes, sir. that's scheduled for later this month, or october. i think where we got into a

different kind of construction, it had to do with infrastructure and platform and our definitions. but i think our intentions are the same. >> why don't we let -- greg, if you would give us the rest of it. >> as long as the tests that they perform includes how the applications enter the phase of what the operating platforms and infrastructure, to look at it in totality is going to be critical. because certain vulnerabilities on certain levels -- or layers of the security could affect the security of the other components of it, because there are a number of components involved with this website and its supporting systems. and a number of different entities involved with their operation. >> and so for the layperson out there, would it be fair to say that, for example, when software opens a portal on a particular piece of equipment, that that can create a vulnerability, and one type of hardware, that it wouldn't in another. that that's the type of thing

that they actually have to look at the type of hardware they're using, what it interfaces with and so on, is that right? >> to include looking at the fire walls and routers and switches that support it, as well as the operating systems and how they're being configured, yes, sir. >> and i presume any remote access to devices, vpns, all of that would be part of it. as i understand it, one pc that has a vpn connection that isn't in the software, that once you put it in, it can create a separate vulnerability, right? and that's what you're looking for. so if i saw the heads nod, and i like that, the two of you -- one of you is going to come back to the ranking member and myself if this agreement that you're going to do this by november 15th doesn't happen, is that right? maybe both of you? >> i would be willing to work with your staff to do follow-up. >> i think that's all that mr. cummings and i would like to know. since you're shaking your heads

and smiling now, if that stops between now and november 15th, one of you will tell us? >> yes, sir. >> mr. cummings? >> i'm going to encourage you to do that. just do it, please. >> we will do that. >> and i'm not trying to be smart. miss tavenner, i know -- and all of you, i know you're trying to do what's in the best interests of the american people. i understand that. but it seems as if what we want is the highest level of best practice. am i right, mr. chairman? >> absolutely. >> and miss tavenner, i couldn't help but -- when i was thanking you on behalf of my constituents, i could see a tear come up in your eye. you know, so often i think federal employees -- a lot of people don't realize that a lot

of our employees, most of them are not in government for the money. they're in it -- and i have people coming to work for our committee all the time who are willing to take reduction of salaries from the private sector, because there's something about this that feeds their souls. something about lifting up the public, and making their lives better. so to all of you, and to all of the federal employees who may be listening out, and the ones behind you, miss tavenner, and all of those in the audience and up here, i just want to thank you very much. thank you. >> thank you. i understand the gentlelady from new mexico, did you have any follow-up questions? >> mr. chairman, i don't. i was thanking you. i thank both the leadership that we get feedback, and they represented very effectively all of my concerns and points. so thank you very much for your leadership. >> thank you. i've got a couple very quick wrap-ups that came out of these. big smile, because we're nearing

the end. there was a question about more people being insured. and i just have to ask, is medicaid insurance? >> in my opinion, medicaid is insurance, for sure. but that was not -- >> but the actual level of insurance under medicaid, that was talked about, it's medicaid insurance, that's what's lowering the number of uninsured is medicaid? >> plus the marketplace, lowering that number. >> which has been subsidies primarily? the actual number of people who are receiving unsubsidized health care has gone down, is that right? >> you know, i don't have all the reports in front of me, but actually, the number of people insured off the exchange without subsidy is also rising. i don't have the latest private insurance -- private insurance had a negative trim going on for the last ten years. that seems to kind of stabilized

out. if you add medicaid, and you add the marketplace exchange with or without subsidy, i think that's what you're seeing this -- >> right. but the reason is those questions led to this sort of feeling that, you know, everything was better, but isn't it true that the medicare trustee, charles blahouse, he projected that by 2021, the impact of the affordable care act will be a 346 to $427 billion increase in the deficit. essentially, because the government's going to pay that 100%, and then 90% for medicaid, the government is going to provide those subsidies. the government is in fact the taxpayer, so the deficit will rise based on the money that buys that insurance, is that true? >> i'm not familiar with that report. >> okay. but the government is -- general tax revenues are, in fact, paying for these subsidies and

medicaid. it doesn't come out of a trust fund. medicaid is ordinary income tax. is that correct? >> i'm sure that you know that, mr. chairman. i don't. >> for the record, medicaid is paid out of income tax, and much of medicare is paid out of income tax, that the trust fund, when we talk about it, only pays for a small part of what our seniors reflect. now, really, the final question, and it's one that deeply concerns me, and it wasn't the main topic today, but it's right in your lane. on may 15th, you projected 8 million as an enrollment number. august it's now 7.3. what happened to that 700,000 to 800,000 people? why was there such a precipitous drop? >> so, i -- the 8 million individuals, and i think that number was after the end of open enrollment, had signed up. and i think during the course of

the next several months, individuals may have either gotten employer sponsored insurance. they may have found other eligible for medicaid instead of the marketplace. and some individuals may have decided not to go forward and pay. i think there was always -- >> that's a great question. and the reason i ask that question is, people were asserting that signing up meant nothing, and paying meant everything. how much of that 700,000-plus drop were people who did not pay? or do you know? >> i don't know that information. >> wouldn't it be all of those people did not pay? >> i don't think we'll know that until the end of the year. then we'll probably -- >> let me ask the question a different way. i'm an old businessman. people signed up. they were therefore, insured, is that correct? they enrolled, they were insured. >> these were people who signed up for a plan. but in order to get insured, you had to make a payment, right.

>> well, no, they were insured right away. and then if they didn't make the payment, they went off >> 90 days, right. >> they basically got a free ride. 700,000 people got a free ride. they had coverage. and if something catastrophic happened, they could make a payment. and if something catastrophic didn't happen, they could just let it drop. >> sorry. i don't think we know that information. >> well, no, this is a structural question that i know you must know or the technical people behind you must know. if 8 million people sign up, let's just say 8 million people sign up and not the 700,000 who dropped, but let's just say 50 people out of 8 million had a health event and they weren't going to pay, they just signed up on a lark because it's a free ride to sign up. but then they had a health event, did they get to go to the doctor during that 90 days,

because they had signed up and hadn't yet paid? >> yes. >> so the system as it is today is an incredibly easily gamed system, if i understand correctly? 316 million americans could all sign up, and get 90 days worth of free insurance. and if nothing happens, there's no downside, that they're just letting it lapse by not making a payment, is that right? you don't dunn them, you don't go after them, you don't sue them for the coverage they never had, but never paid for, do you? >> which i think is why it's important to know that as of august, 7.3 million were still making their payments and were still continuing the insurance. >> 7.3 million people may have made small payments because they were highly subsidized or larger payments because they weren't. are you prepared to release those figures anytime soon so we understand the 7.3 million, how many of them, if any, it would be some, were completely unsubsidized, how many were partially subsidized, how many

were substantially subsidized? >> as soon as we have that information, we'll release it. yes, we'll be able to talk about -- >> estimate when? >> i don't have an estimate, but i'm happy to get that for you. >> okay. being an old businessman, i must admit that giving people 90 days free, and no retrospective look to find out whether in fact they were maybe dual insuring, just signing up for a lark, to me means people should be cynics and say, we don't know how many people have signed up, but next year, starting november 15th, i'm presuming that if gao is going to estimate the signups, they're going to be able to only use, that if you get 8 million again, they can assume 7.3 is the net number, right? >> 7.3 is a very strong number. i would remind you the people who sign up and get tax credits have a reconciliation process next april. >> yeah, we're looking forward

to that part. this committee held a hearing, and on the issue of over $15 billion owed to the american people by the state of new york, for excess payments in violation of the law, in violation of cmx maximums, that falls under your watch. have you done anything to reclaim that $15 billion? >> yes, sir, we have. >> have you gotten any of it back? >> we recently initiated that. i don't think we've gotten any of this back yet. but we sent basically the request for recovery. >> you've made a request for recovery. >> we follow our normal process. >> do you have the authority to simply withhold as you would to a private entity? if i'm a doctor, and i overbill $15 billion, or maybe some minor amount less than that, if i'm

less hard working, the first thing you would do is cut off payments for services, right? you simply wouldn't send them a penny. you're sending millions or billions of dollars to new york every month, aren't you? >> i can brief you or your team on this in some detail. whether it's a doctor or entity or whatever, we ask them how they would like to repay us. and we -- >> i wish that were true. i think too many health care entities who make it very clear, your people come in, you make a determination, the moment you make a determination, they basically have to quit their practices and go into an appeal process. and in the meantime, they're not receiving a penny, and you claw back. you want to state that in a way that the private sector people don't call me up and say, how did you let her say that you give people lots of time and ask

them how they'd like to repay it. >> i think you know i was on the private sector side for quite a period of time. if there's ever a question of overpayment, yes, cms will make you aware of an overpayment situation. >> and claw back real fast. >> dmls you want to pay them up front. >> if you're able to write a $15 billion check, they won't deduct from the revenue. >> right. >> is new york prepared to give you a $15 billion check? >> i can't speak for new york. >> but right now, new york, and perhaps others, owe the american people money from excess payments. and they're not being treated the way private sector is being treated. they're being treated a little bit with kid gloves. $15 billion is a lot of money. >> actually, we went through the first year and we made a request, or demand for the money. and i'm happy to brief your staff on that. >> will the gentleman yield? >> of course. >> you have hit on an area that we have had a number of hearings already with regards to rack audits. i would implore you to treat new york the same way you're treating the constituents in my home state of north carolina. because very quickly, what you do is you put private companies out of business. you deny the claim, and you say, you either pay up or you go

home. and if you're not going to treat new york the same way you treat north carolina, i've got a real issue with it, miss tavenner. >> we would treat new york the same way which treat every other state. >> no, i'm talking about government versus private. i'm not -- >> we would treat new york the same way we would treat anyone who owes these funds. new york, i just got this information from my staff, has appealed this decision, which is the same option that anyone has. >> right. and a private company when they appeal, the answer is the same. pay up in five years or go out of business. >> i understand. >> the statute says, 60 months. i know it very well. >> i know. we have treated the states the same way we treat providers. >> so they have to pay up within 60 months, new york. >> i'm happy to get you the information. i just don't -- 4

>> i yield back. thank you. >> i thank you both. we'll go to the ranking member. i appreciate your staff's assistance. although it's an issue that you know is never going away before this committee, it wasn't the is main subject for today. mr. cummings? >> i want to go back to the 7.3 million people who paid their premiums. and i guess 700,000 who did not. there are all kinds of reasons, i guess, why people may not pay their premiums. and a lot of people in our society are still struggling with all kinds of things. you talked about a reconciliation process. can you talk about that for a moment? >> the way that it works is individuals -- the 90-day grace period is set up to give individuals an opportunity to pay. at the same time, they start to receive tax credits. these tax credits are reconciled the next year on their income tax returns. if people have underpaid on their aptc, then they are likely to get a tax credit back. if they have over -- let's say they received a higher aptc, they may owe the federal

government back. that's part of the partnership we have with the irs. i don't think that the 700,000 is -- in fact, i was very pleased to know we have payment levels at 90%. this is a brand-new program. this has never been done before. i think by the end of '14, and as we start to look back on '14, we'll understand the circumstances. i expect in some cases they may have moved, they may have gotten married, they may have gotten insured, they may have lost their income and gone on medicaid or into the uninsureds ranks. we'll only know that as we look back. we're careful not to look back too early. >> these are not necessarily people trying to game the system. >> no, sir.

>> i see folks every day that they're still being informed as to what the affordable care is all about -- the act is all about. and trying to make it one says, working nine to five just to stay alive. sometimes in my district it's working two jobs just to stay alive. they're struggling trying to manage all this information, trying to do the best they can to take care of their families and many of them going through very difficult circumstances. >> that's right. >> thank you very much. >> thank you. >> the gentleman from virginia, normally the first to arrive. we just finished round three and the close. would the gentleman have some questions? >> i sthank thank the chairman. >> the chairman is recognized. >> i was on the house foreign affairs committee with the secretary of state. forgive me for being late. >> i'm sure the questions there were provocative, so -- >> yes. welcome to the panel.

mr. wilshusen, would it be unreasonable of us to suggest that no company, no government, no individual should feel entirely secure and safe in the digital age? >> i would say if you're referring to use of online transactions on the internet, and the like, that there are certainly risks associated with that. just given the weaknesses and the nature of the internet, as well as the competency and prevalence of hackers who might wish to exploit those weaknesses. >> the issue of securing public and private information systems, i assume it's not something you need for the affordable care act implementation? >> no, it's an issue for any computer system operated by any agency, any organization. there's always a need to protect

that information. and certainly, as we mentioned earlier, within the federal government, they've been identifying high-risk areas since 1997. >> right. since 1997. >> yes, sir. >> two administrations ago. >> probably. >> right. miss tavenner, hello. and welcome to our committee. >> thank you, sir. >> i think. it may not have been entirely elicited at the beginning of the hearing, but i welcome you and thank you for your work. let me ask a question. one of the things we hear about the rollout of the website in retrospect is that the coordination of i.t. management is disparate, not always

focused, and perhaps was seen as a technical issue while, you know, cms and the department of health and human services were focused on sort of the bigger picture and the reforms getting in place, and the pieces finally fitting into the mosaic, and maybe this got short shrift. it turned out to be the achilles heel. the whole enterprise was at risk because of this failure, which was a technology issue. in looking back on it, what lessons did you learn as a manager, and is there some validity to that critique, from your point of view? >> yes, sir, i think there's some validity to that critique. some of the lessons learned and changes that we've made early on in year one, and definitely year two, we needed a systems integrator. we needed a clear point of accountability. we needed better communication.

and you're right, there was probably more time spent on the non-technical components and we didn't realize, as the technology was as difficult as it was. so those were lessons learned. i think we've put changes in place. we are very, very happy with the number who signed up. we have -- year two is going to be an equally hard year. it won't be perfection, it will be greatly improved, and we're looking forward to finding more uninsured and help people get coverage. >> thank you for that response. finally, mr. wilshusen, are you familiar with the bill that the chairman and i have co-authored, called the federal information technology reform act, a month old? >> a little bit, sir. but not completely. >> well, that bill tries to get at how the federal government manages i.t. procurement, and

acquisition, and it addresses interalia how the federal government is managed. and i think it's based on the conclusion that it's not well managed, and it's very inefficient, and there are too many people with the title cio, and what could go wrong with that. the estimate is the $82 billion we spend over the year is at least inefficiently used. sometimes downright unfortunately wasted. is it gao's position that we do need some i.t. updates and reforms to kind of update on clinger cohen, which was almost 20 years ago in technology, that's light years. >> that's outside my particular area. i focus on information security and privacy issues. i can get that answer to you.

>> that would be fine. but isn't information security related to how well we're managing our i.t. assets? >> oh, certainly. and certainly there is need for improvements in how i.t. is secured within the federal government. and by an implementation issue. we're also on record that the federal security management act that governs information across the government could also be updated and modified. >> again, i believe this committee and again the chairman, ranking member and i have been involved in that as well. but the house has certainly tried to address that. and with bipartisan common ground on these issues, i urge you to look at the bill and see how it applies to your particular area. >> i will. >> i thank you. mr. chairman, thank you for allowing a shameless plug for our legislation one more time.

>> well, in closing, it's not shameless, but it's a good plug. you know, i'll close because miss tavenner, we'll probably try to do everything without having you back. and i think we're on the right track. this is a committee that does legislation on a very bipartisan basis in most cases and it doesn't get reported. and then we have oversight, and perhaps it's not as bipartisan, and it often does get reported. i do think today's hearing was worthwhile. i believe that hopefully mr. cummings and i both expect that there will be a little bit more certainty as to the security that will come out of the website. cms is critical to the american people. your role has been expanded perhaps more with the affordable care act than any item before. and mr. cummings often talks about the federal work force, and certainly about the good work that's being done. i want to close by saying, that just because we give you a hard time over item after item, just because a number of members

asked about, what about these billions of dollars that were given to states for their failed websites, doesn't mean we think it's easy. just the opposite. we know it's hard. we want government to oversee itself, to the greatest extent possible. and it's the reason that we do appreciate and support the gao. we do appreciate and support the inspectors general. and that we try to be, if you will, their supporters in order to get the kinds of certainty and when necessary reforms that are necessary. so i want to thank you for being here today. i think this was an informative hearing. and with that, mr. cummings gives me a yes, we stand adjourned.

ken senator mitch mcconnell was first elected 30 years ago and seeking a sixth year in office. he's debating his democratic challenger kentucky secretary of state allison grimes. you can see that live on c-span. right now on c-span3, some of the campaign ads from that race. >> you or mitch? after 30 years, who's doing better? mitch has voted himself six pay raises, enjoyed over $600,000 of perks and raised over $70 million. here at home, incomes are down 9%. kentucky has fallen to 44th in jobs and lost over 43,000 manufacturing jobs. sure seems mitch has washington working for him and not us. the democratic senator campaign ad is responsible for the content of this advertising. >> i'm mitch mcconnell and a prove this ad.

>> i'm not barack obama. >> but obama himself says a vote for alison is a vote for his policies. >> i'm not on the ballot this fall, but make no mistakes, these policies are on the ballot. every single one of them. >> obama needs grimes. and kentucky needs mitch mcconnell. >> i'm allison lundergren-grimes. >> first we learned mcconnell skipped hundreds of committee meetings. where was he? he didn't show up to vote on troop funding, the farm bill and va on days he found time for a lobbiest fund-raiser and was on two tv shows. skipped a vote on job but toasted the chinese president for china's great achievement. the rest of the time he created gridlock. 30 years is long enough. >> the media call her ads false and misleading but alison grimes

is attacking on attendance. she must not understand mitch doesn't just serve on committees, he can appoint committee members. it's a power grimes won't have. as for mcconnell's attendance, 99%. alison grimes, no experience, false and misleading attacks. >> i'm mitch mcconnell and a prove this message. >> republican senator mitch mcconnell and democratic challenger alison grimes debate tonight in lexington, kentucky. you can see that live on c-span at 8 p.m. eastern. be part of c-span's campaign 2014 coverage. follow us on twitter and "like" us on facebook to get debate schedules, video clips of key moments, debate previews from our politics team. c-span is bringing you over 100 senate, house and governor debates and you can instantly share your reactions to what the candidates are saying. the battle for control of

congress. stay in touch and engaged by following us on twitter at c-span. and "like" us on facebook @facebook.com/cspan. disabled veterans memorial was dedicated in washington, d.c. earlier this month. speaking were president obama, the interior secretary, veteran affairs secretary and actor and disabled veterans advocate gary sinesi. >> it is with great pleasure we introduce our master of ceremonies, former department of transportation and current senior policy adviser in washington, d.c., the honorable ray lahood. >> good morning. isn't this a glorious day?