The head of the House Space, Science and Technology Committee says he might call U.S. Chief Technology Officer Megan Smith to testify about potential HealthCare.gov consumer privacy gaps.
Committee Chairman Lamar Smith, R-Texas, sent letters to Smith, as well as the heads of the Department of Health and Human Services and the Centers for Medicare and Medicaid Services, following an Associated Press investigation into the presence of data mining companies on HealthCare.gov
A Jan. 20 AP report revealed data firms embedded on the health-insurance sign-up site -- including digital giants such as Facebook, Google and Twitter -- could “glean details” about users, including age, income, ZIP code, whether they smoke and if they are pregnant.
A few days after the AP report was published, officials said they were curtailing the practice.
Still, Lamar Smith called the extent of the potential data mining “astonishing.”
“Once a data mining company seizes this treasure trove of sensitive personal information, it is able to combine this data with other information collected by tapping into commercial websites and databases such as phone calls, texts, social media posts, frequently visited websites and credit card purchases,” he said in the letter to officials.
The letters were addressed to Megan Smith as well as Sylvia Burwell, the head of HHS, and Marilyn Tavenner, the CMS administrator.
Lamar Smith, citing the “serious issues of personal privacy and government information security” raised by the AP report, said the committee may ask the officials to “to appear on relatively short notice and testify,” according the letter.
In his letter, the chairman said he wants to know:
- Whether the officials were aware of the data mining before the AP report was published;
- Who was consulted about the presence of third parties on the site and who ultimately approved it;
- The justification for allowing the companies access to the site and whether that conforms with the Federal Information Security Management Act and other cybersecurity regulations; and
- Whether CMS is able to track the activities of third-party data mining companies.
If requested to appear before the committee, it will be the first time Megan Smith testifies before a congressional committee since becoming the country’s top technologist in August. Her appointment did not require Senate confirmation.
It may not be the friendliest terrain for the former Google executive.
Lamar Smith’s committee sought numerous times last year to tie her predecessor, Todd Park, to the failed launch of the Obamacare website, even going so far as to subpoena him to appear before the panel to answer questions about site security.
Before limiting the practice, Aaron Albright, a CMS spokesman, had initially defended the data mining firms’ access to the health care site, telling the AP that outside vendors are allowed access to the site to measure its performance and to offer consumers a “simpler, more streamlined and intuitive experience.”
But he added companies “are prohibited from using information from these tools on HealthCare.gov for their companies' purposes."
However, Lamar Smith in his letter to the administration officials said it isn’t clear how the agency would monitor what data mining companies do with the data.
Third-party sites that track website performance and collect targeted information on users are pretty much par for the course for much of the rest of the Web, the AP noted. And there was no indication personal information collected on HealthCare.gov had been misused by the companies.
Rather, it was simply the sheer number of third-party connections -- numbering at least 50, including Google's data-analytics service, Twitter and Facebook as well as a number of advertisers -- that raised eyebrows.
"Anything that is health related is something very private," said Mehdi Daoudi, CEO of Catchpoint Systems, whose company examined the health care site at the AP’s request. "Personally, I look at this, and I am on a government website, and I don't know what is going on between the government and Facebook, and Google, and Twitter. Why is that there?"