CMS Denies FOIA Request for HealthCare.gov Security Documents

CMS has said it will not release documents related to the security software and IT systems behind HealthCare.gov, citing the potential for hackers to use such information to inappropriately access the site, the AP/San Francisco Chronicle reports.

Background

The Associated Press in late 2013 submitted a Freedom of Information Act request for the documents -- including a site security plan -- amid concerns expressed by Republicans about the website's security.

According to the AP/Chronicle, although a government memo issued last year found that HealthCare.gov faced potentially high security risks, the website has since passed a complete security test.

CMS Denies Request

CMS spokesperson Aaron Albright said the department "concluded that releasing this information would potentially cause an unwarranted risk to consumers' private information." Further, CMS said releasing the documents could violate federal health data privacy laws. It also cited FOIA exemptions meant to protect law enforcement records and individuals' privacy, according to the AP/Chronicle.

AP, Stakeholders Respond

The AP already has asked CMS to reconsider its denial, noting that President Obama in 2009 said federal agencies should not keep information private "merely because public officials might be embarrassed by disclosure, because errors and failures might be revealed, or because of speculative or abstract fears." AP said CMS' denial is based on such speculative fears.

AP also noted that CMS said it would not release any parts of the requested documents despite Attorney General Eric Holder previously saying agencies should consider releasing parts of files with sensitive information redacted. Specifically, AP said that while some information could aid hackers' attempts to break into the site, other data -- including the number of times the site has been broken into and information on how CMS' systems store individuals' personal data -- are "commonly shared in the private sector."

Dan Metcalfe -- former director of the Department of Justice's office of information and privacy – said, "Here you have an example of an agency resorting to a far-fetched privacy claim in an unprecedented attempt to bridge this legal gap and, in the process, making it even worse by going overboard in withholding such records in their entireties."

David Kennedy -- an industry consultant who testified to Congress last year about the security of HealthCare.gov – said, "Security practices aren't private information" (Gillum, AP/San Francisco Chronicle, 8/19).