QSSI failed to stop employees from downloading unauthorized info onto jump drives, other devices, IG says.
The contractor now responsible for stabilizing HealthCare.gov, under a separate, ongoing contract, endangered the private information of millions of entitlement program beneficiaries, according to federal investigators.
Quality Software Services, Inc., or QSSI, failed to stop employees from connecting unauthorized USB devices, such as thumb drives and smartphones, to computers testing Centers for Medicare and Medicaid Services systems, investigators discovered. A June Health and Human Services inspector general report categorized this misstep as a “high” risk.
The findings came at an awkward time. QSSI was a key architect of the HealthCare.gov sign-in process that ultimately hobbled the enrollment process nationwide. QSSI built the registration tool. Certain procedures, asked for at the last minute by the administration, prohibited consumers from browsing health care plans until confirming their identities and creating accounts.
At CMS, QSSI personnel test the performance of systems that handle beneficiary data. To ensure the privacy of Medicare beneficiaries, IG officials in May evaluated safeguards at QSSI to prevent USB drives from compromising personal information.
“As a result of QSSI’s insufficient controls over USB ports and devices, the [personal information] of over 6 million Medicare beneficiaries was at greater risk from malware, inappropriate access, or theft,” Kay Daily, HHS assistant inspector general, wrote in a June report.
An individual, for example, had connected to one computer 28 various portable devices capable of saving files that company officials could not determine were authorized.
Ex-intelligence contractor Edward Snowden and convicted leaker Chelsea Manning, a former American soldier, allegedly exposed government secrets by extracting data into such devices.
Nevertheless, the Obama administration has selected QSSI to command a “tech surge” to upright the online insurance marketplace by Nov. 30.
In response to a draft IG report, Anh Tran, QSSI technical director, wrote in a Jan. 11 letter that the company now plans to configure USB ports on laptops for “read-only” access, which would block individuals from downloading data. Contractor officials said all portable devices would be required to undergo virus scans.
The company’s prior HealthCare.gov dealings also have come under scrutiny in Congress. The House Energy and Commerce Committee last week summoned QSSI officials to discuss testing they had performed on the site prior to its Oct. 1 launch.
Rep. Darrell Issa, R-Calif., chairman of the Oversight and Government Reform Committee, announced Tuesday that he has subpoenaed QSSI to turn over documents about its work.
Be part of the federal technolgoy conversation at Nextgov Prime, Nov. 20-21. Register here (it's free!). Nextgov.com/prime