Nearly 20 million Americans have now experienced the broken Obamacare website first hand. But Ben Simo, a past president of the Association for Software Testing, found something more than a cumbersome login or a blank screen—clear evidence of subpar coding on the site.
In mid-October, he went to Healthcare.gov to help a family member get insurance, only to find his progress blocked. When he investigated the cause, he discovered that one part of the website had created so much “cookie” tracking data that it appeared to exceed the site’s capacity to accept his login information. That’s the mark of a fractured development team.
Even more alarming were the security flaws. An error message from the site relayed personal information over the internet without encryption, while the email verification system could be bypassed without access to the email account. Both security vulnerabilities could be exploited to hijack an account. “Because this is a huge system that people are mandated by law to use, the standard should be higher,” says Simo. “People are going to see it as a high value target.”
At the time, President Obama was still arguing that the main culprit for the breakdowns was the popularity of the site. “The website got overwhelmed by the volume,” he said on Oct. 4. The reality, of course, was far more dire.
The basic architecture of the site, built by federal contractors overseen by the Department of Health and Human Services, was flawed in design, poorly tested and ultimately not functional. “You need there to be good people on the inside to make good contracting decisions and good people on the outside to do the work,” explained Clay Johnson, a Democratic technology consultant who recently worked as a White House fellow. “Right now, it’s the blind leading the blind.”
Even on the back end of the site, data was garbled and, in some cases, unusable. The nightly reports that insurance companies receive from the federal government on new enrollees in the health plans have been riddled with errors, including syntax mistakes, and transposed or duplicate data, according to industry veterans. In other cases, insurers received multiple enrollments and cancelations from the same person, but since the documents lacked timestamps, it has been impossible to know which form is the most recent. Companies have resorted to contacting enrollees directly to get answers, a solution possible only because so few have been able to sign up. “We are seeing and hearing that enrollment files going to carriers are incomplete, there are errors,” said Dan Schuyler, a director of exchange technology at Leavitt Partners, a firm that consulted with several states in setting up their websites. “In three weeks or so when they start receiving these in mass volume, tens of thousands per day, it doesn’t matter if there’s a 1 percent error rate. Insurers don’t have resources to go through them and clean them up.”
After three weeks of breakdowns, Obama decided that he could no longer stand by his own spin. “Nobody is madder than me about the fact that the website isn’t working,” he said Oct. 21 in a Rose Garden speech that instructed others to stop “sugarcoating” the problems. In fact, the warning signs have been clear for months inside government, even if the White House failed to sniff them out. Federal auditors raised alarms in June, warning of missed deadlines and unfinished work. Administration officials have since put out the call for new contractors, and Silicon Valley talent, to fix the work. Jeffrey Zients, a top White House aide and former management consultant, has been tasked with leading the effort. But the pivot has not come with any new transparency about the problems. Obama’s aides refuse to confirm any particular bugs, or describe just what is wrong, as part of an effort at damage control aimed at keeping the public enthusiastic about the insurance marketplace. More clarity could come Thursday when information technology contractors plan to testify before Congress on their work.
Senior White House aides, including Chief of Staff Denis McDonough, met with insurance executives on Wednesday to chart a plan for solving the problems. “We have worked with the insures and the ‘alpha teams’ we jointly established made up of insurers’ technology experts and CMS technology experts, to iron out the kinks,” said Press Secretary Jay Carney in an emailed statement after the meeting.
Experts say the White House only has only weeks to fix the problems before they start to directly effect the success of health reform. Government officials hope to enroll 7 million people in Obamacare by the end of 2014. If they get substantially less, costs could rise for others in the system. Brett Graham, a managing director of Leavitt Partners, who has also consulted on the exchanges, says “insurers really need that process to be reliable by about Nov. 1.”
For his part, Simo tried to report the security vulnerabilities he found by contacting an online operator at the Department of Health and Human Services. But he has little hope that his message will get to the right people. The operator seemed confused about what to do with the information. After a half hour of delay, Simo was told his complaints would be forwarded the Federal Trade Commission, an agency that typically investigates consumer complaints, who would contact law enforcement as necessary.
With reporting by Zeke Miller, Massimo Calabresi/Washington and Kate Pickert/Los Angeles