MONTPELIER — State officials knew in early June that the state’s online health insurance marketplace faced possible disconnection from the federal data hub because of ongoing security shortcomings, according to documents obtained through a public records request.
Department of Vermont Health Access Commissioner Mark Larson received a letter, dated June 10, from the Centers for Medicare and Medicaid Services explaining that Vermont Health Connect could be disconnected from the federal data hub by Sept. 8 if security shortcomings were not resolved.
State officials eventually took the exchange site offline on the evening of Sept. 15, but did so voluntarily, according to Lawrence Miller, a special advisor to Gov. Peter Shumlin and the state’s chief of health care reform.
According to CMS’ letter, the Vermont exchange fared poorly in two quarterly reviews, which prompted the warning and threat of disconnection.
“[B]ased upon CMS’ evaluation of your quarterly (plan of action and milestones) for the past two reporting periods, ending January 31, 2014 and March 31, 2014, we have identified a significant number of open high security findings and/or open moderate findings that potentially could present risk to the security of the Hub,” the letter states.
The letter acknowledged progress the state was making in addressing security threats, but set a deadline of Sept. 8 to complete that work. It noted, however, that the state “will be disconnected from the Hub and required to submit new security documentation to regain the (Authority to Connect)” if improvements were not completed.
“CMS continues to monitor your mitigation strategies and corrective action plans related to your system’s connection to the Hub, and thus believes that the connection to the Hub continues to be secure. As a result, CMS is not immediately disconnecting your state from the Hub, but provides notice pursuant to Section 18 of the Master Interconnection Security Agreement between the parties dated September 20, 20013, that the open high and/or moderate security findings must be addressed … or your state’s (authority to connect) will be terminated,” the letter states.
Miller said Thursday that he could not discuss the threats identified by CMS, but said they are “potential weaknesses.”
“It’s not necessarily identified weaknesses. It’s potential weaknesses,” he said.
According to Miller, the state’s chief information security officer had regular communication with CMS over the next several months. It initially appeared that the state would be granted additional time to complete security improvements, Miller said.
In an email dated Sept. 3 and sent to Larson, Kirk Grothe in CMS’s Office of Information Services, said he believed the state would need until Nov. 3 to complete the required security improvements. However, he also noted that he “was not able to commit to the extended timeline.”
Miller said it initially appeared based on conversations with CMS that the state would be granted additional time. However, it became clear over the next two weeks after Grothe’s email that more time would not be granted. Miller said he and other officials then decided to take Vermont Health Connect offline voluntarily because they knew the deadline would not be met and an extension would not be granted.
“They clearly had an elevated anxiety level from earlier in the year. If nothing had changed, every indication we were getting from our contacts was, ‘Oh yeah, if it takes you a couple more weeks, given the fact that you’re switching over from CGI, you’re working on it, it should be fine.’ And then it wasn’t,” Miller said. “It was a pretty easy decision to say, ‘We don’t have to talk anymore. We’ve got it. We’re going to do this.’”
Miller said officials decided it would be “just silly” to try and accelerate the process of boosting security to meet the Sept. 8 deadline. Officials were also trying to improve other functions on the site while transitioning from original contractor CGI to its new contractor Optum.
“We had the security stuff and we had the performance improvements and the website revisions and were in the middle of the transition from CGI to Optum,” he said. “We were looking at whether we could finish within the time period that we were talking about. We said, ‘No, this isn’t going to happen.’”
Despite learning in June of the security issues, state officials did not disclose the problem until Sept. 16, when Miller, Larson and Shumlin held a news conference to announce that the site was taken offline the previous evening. Miller said he and other state officials were told by CMS that disclosing the potential security threats could encourage hackers to attack the site.
“I have no discomfort with the fact that we did not put that out there based on our conversations with CMS on how to handle these things. You don’t talk about this stuff, period,” he said.
Miller said he has “every reason to believe” the site will be back up before the open enrollment period begins on Nov. 15. The Nov. 3 target identified by CMS is no longer valid, he said, because the work has been combined with other site upgrades.
“That had been what the technical assistance folks at CMS concluded was a reasonable date,” he said.
Larson was dismissed from oversight of Vermont Health Connect last month by Acting Agency of Human Services Secretary Harry Chen. Miller is now responsible for the site’s operations.
Read the letter from CMS to former Department of Vermont Health Access Commissioner Mark Larson.
Read emails between state officials and the Centers for Medicare and Medicaid Services obtained through a pubic records request concerned the state’s decision to take Vermont Health Connect offline.