security failures since security tests had been done before the changes, thus any changes could let external hacking to go on.
CMS also waited until two weeks before roll out to change the system so NOW the applicant had to supply personal info and register just to shop choices and prices, when Obama earlier promised they could compare choices without doing so. This was called "anonymous shopping", which was turned off. Testimony from CGI indicated it could be turned on if project manager CMS told them to.
Online quotes for insurance rates were INTENTIONALLY deceiving AND understated. TheY did not asK age, but only an age range, like 27-49, and 50 & up. Then if a 49 year old asked for a quote, they were given the much lower rate for a 27 year old. If a 63 year old asked for a quote, they were given the MUCH LOWER rate for 50 year olds.. I am not clear if they were charged the actual, higher rate if they signed up, or got notice later. THIS IS CLEARLY A BUNGLED, DECEPTIVE SYSTEM and is like a shifty car dealer mis-representing the hidden costs of buying a car.
The Democrats spent most time reading constituent letters and saying "let's fix it, not nix it" while Republicans focused on outing all the screwups (which is needed if you want to fix it). Clearly, the Democrats did not want to discuss accountability for all the added costs and effects of the screwups.
Vendors hid behind CMS contract agreements and would not answer many direct questions about WHO told them to do or not do various things.
What a botch up, and it is clear CMS failed, didn't stand up for more testing needs, and political changes caused other problems.
These are my original notes typed while watching the hearing.
Vendors
1 - CGI Federal systems - Ms. Cheryl Campbell
2. - DSSI - Andy Slavitts speaking
Two other vendors were there, but rarely had applicable issues.
Names of Congressman asking their questions and State are shown when known.
Issue:
Congressman came from radio station business and had experience with tech rollouts
No end to end testing until 2 weeks before roll out -
vendors claim their part worked well per CMS specs
CMS was apparently project manager
One vendor wanted end to end testing months before
"We would have loved to have months " to test end to end
"I am disturbed that CMS did not give you adequate time for end to end testing"
Ms. DeGette - CO
Issue of privacy
- a specter - weekly standard article - code not visible to user - in source code
- Only medical info is do you smoke?
- thus does not violate hippa
- her healthcare aide went online last night
Mr. Terry - nebraska
- Did they prepare for testimony with CMS
- Yes - "don't recall"
- No , no , no
Were any non US subs used (outsourcing)
- No, no, no, no - all in us
Re Front door
- Can you track people accessing front door
1. - We are not responsible for front door... no
2. - Slavits provides tool
Who is responsible for tracking access stats
Slavits - have data via IBM registration tool
Can you tell how many from Nebraska tried to access
- Slavits will get it and follow up.
CMS did not ask for it.
1. has some
"We have to have CMS permission to provide info..." They have not allowed it yet.
WEASELS - "If we can, we will answer" - relying on CMS confidentiality agreement to not answer.
Mr. Matsui - Calif
ISSA wrote letter re white house
Did the white house order vendors to mask sticker shock?
Mr. Rogers - Michigan
How many change orders received - CGI?
- 8 change orders, recent as August
- Slavic - low number
How many org boundaries between ends
- Campbell - irs, homeland secyrit - will get back
- Slavic -
Neither knows answer
CGI - did they do end to end test
"I believe where our system touched" - not an answer
Slavits - Our systems don't hold data
What are you doing for security tests - did you red team?
"I can check"
Minor corp did checks?
External threats? Slavits will come back with answer
Campbell - Mynor was indep security contractor
CMS with Mynors certifies security
1. Takes info from hub and gets to end user - built portion of infrastructure
2. Slavits wrote code to do it.
I am shocked that on Aug 30 that system is fine, but then updated lots of code that creates new vulnerability.
Ms. Schakowsky, IL
Did system crash with only a few people.
Only read a diatribe, clearly a Dem - didn't ask questions
Mr. Murphy - PA
CMS decided site visitor could not browse prices without registering.
Thus CGI did not allow anonymous shopping.
Slavit - didn't know requirement to prevent anonymous shopping until near rollout.
Don't know who made decision.
Did CGI inform CMS that they needed more time.
CGI system went through unit testing but not responsible for end to end testing.
CMS had CSSI to test their system.
CGI got $290-million
Ms. Campbell was able to test using hers from VA
Clavits informed CMS that more testing was needed.
SSCI tested?
They got $85-million
he tried to get on using TX - Was able to create an account, but didn't get confirmation email
"didn't work"
Lau - As of today, about 9000 manual applications filed.
Mr. Yarmuth - KY - clearly a Dem
Read letters of success - didn't ask questions
Experience in KY was successful after first day.
Stats for first 21 days
640k wo insurance
280k unique visitors to connect
247k have conducted pre-screenings
47k apps for covereage started
37k succeeded
18k enrolled
378 businesses have applied for employee coverage
Mr. Burgess - TEXas
What happens to info entered without getting confirmation. he tried numerous times setting new accounts and no confriamtion
Slavit - EDI had data, and sent to "marketplace" but doesn't know what happened then.
Can I get info back.
I believe info held in reigstration system
CGI received $112-million so far.
CMS are cost reimbursed contracts
CGI billing taxpayers even though code didn't work.
CGI - on Oct. 1, applicants could not get to their system
CMS was systems integrator - mr. Chow
Slavits - CMS was integrator but don't know who.
Why aren't they interviewing CMS also??
Appears no one is in charge
Who will take responsibility to get this fixed?
Mr. Welch (?)xxx - red tie - appears to be a Dem
Rambled about how many programs work great.
Talked about part D roll out in the past and glitches.
Read quotes from then. "Work together"
Mr. Scalise - LA
Young people forced on Jan 1 to pay double what they are paying.
Were there concerns at CGI that CMS did not have tech expertise?
Got waffling answer.
Sebelliaus said she needed 5 more years.
Mr. Tonko - NY - Dem
We have to fix it , not nix it
No concern over bad management
Read constituent letters on saving dollars
How many states participate - 36 per Campbell
Asked leading question why states wanted Feds to run program
Did CGI build any exchanges run by States - yes
- They are outperforming the Fed exchange
- State exchanges are being run better
- More New Yorkers enrolled on their own exchange than the Fed system.
Mr. Scalise - LA - again - R
Broken promises by Obama that people could keep their insurance - Lie
In FL, Blue dropping 300k people
Obama said go to health site and compare programs
- Scalise got 300k tv comparisons on Amazon.
- went to healthcare.gov and read list of all problems. - no side by side comparisons.
He used to program computers for a living and tested systems
Campbell - tracking error logs - don't have info, will get back
Slavits - same
Early promises said could go and shop without registrations, but late decision required registration and give private info. For CGI asked to be turned off two weeks before going live.
Facebook cost $500-m and this cost more.
12:11 - Saying: Garbage in, garbage out.
Many seats vacant
Mr. McNerney, Calif - a Dem?
"New opportunity for affordable healthcare"
Pompeo - ??
Can turn on browser open searching
CGI could turn it on if CMS gives instructions.
Browsable website turned off to hide costs.
Kinzinger - IL - Dem?
Regarding problems reported on post end transactions
WAPOST says errors in final backend processing form 834
Campbell - have uncovered some of those isolated scenarios
More isolated than widespread.
Part of Defect build process - trouble tickets prioritized and work with CMS & update
Reports are indicating dependents incorrectly recorded as spouses.
By 9am tomorrow, can she provide details.
**** Mr. Johnson - OH
Has MS and BS in computer science and implemented large systems
I have been where you are.
Cost is over $400-million
These are more than glitches but not fixed.
Indicitative of failure to employ good standards.
You can't recook eggs. Eat them as is, or send them back and restaurant eats cost of new eggs.
What we have here, either dev team did not follow a disciplines methodology, or they didn't notify anyone in CMS, or CMS ignored their recos and moved forward with flaws.
Is it capabilities at fault, or decisions,
Asked Slavitt - He said performance based on trusted data sources from hub.
Campbell testified earlier that when perfo issues like slowness, they would be addressed via fine tuning.
Did CGI tell Slavit of performance issues with data assurance.
Did Campbell tell indpendent tester of problems in Slavitt's data.
Did CGI provide risk management plan - yes
Contract requires recos of KPI's, but she said they did not do so.
They were supposed to follow CMS lifecyle management standards.
Their contract required end to end etc
Plus required pre-operational readiness review was in contract - - 2012, was to include estimate of Q1 of 2012 of operational costs.
Mr. Griffith - VA
People getting prices for 27 - 50 age are set at bottom 27 age, and 50& up getting price for 50 year old - thus understating proper costs per actual age.
Slavitt - last time testing - "at the very end" - don't know who they were working with.
Did you alert CMS of problems effect.
Henry chow of CMS told CGI to turn off anonymous shopping. No reason given.
Mr. McKinley - West VA
Pace is not specified in contract, but Campbell stated it was not an acceptable pace.
Independent verification - don't recall there being one.
Would have not hurt if one was used at start of program.
Can an independent org plan be reviewed - only if CMS agrees.
He is from construction industry which is very specific about substantial completion deadlines, etc.
None of those specs were in original contract such as start of testing.
Were there liquidated damages specified in contract if a standard FAR clause - but this is a cost plus contract.
McKinley says it was performance based plus incidental costs, not cost plus.
I am surprised by whole panel.
I have not heard one of you apologize to American public for these problems.
In construction, we would apologize to customers.
Mrs. Ellmers - NC -
I believe you did your best...
Bottom line is CMS is responsible for this failure.
Q1: How many now enrolled - Campbell not able to answer and need CMS approval.
Hiding behind CMS contract.
Mr Lau - how many paper applications - 3-4k
Obama rose garden speech called these glitches - urged people to call 800 number.
Campbell - what is process if 800 called - question goes to SERCO -
Lau - they don't oeprate call center. Call center key in data directly. It is same website portal system. Avg time to complete by phone: Lau claims he doesn't know. not certain.
Q1: Did campbell actually complete the process online - did not complete it.
Mr. Cassidy - LA
What are you being paid:
Campbell - $112mil - 196m for year, total contract value with options is $293-m
Slavick - funded at $85-mil for data services - not all paid yet.
Spellecy - $2m
Lau - $200m, paid about $30m so far
Campbell designed face or UI, but other firm took over with data handling.
Spanish system - not up, unclear when up. CMS directs when go live.
Is it ready - yes, would be ready if up. CMS decides
Why is a 49 year old getting 27 year old QUOTE?
Why is 60 year old getting quote for 50 year old.
Why not accurate - campbell would not be hard to add date of birth.
Big difference between 59 and 27 rates.
Train wreck.
Upton - MI is Chair
Sent letters to vendors on Oct 6, and deadline is 23rd.
Sebellius is testifying next week. Need answers by 9am tomorrow.
ended 1:30 pm
====================================================
My FB comment:
I am posting this again since Facebook would not let me share the earlier version.
I am watching CSPAN.org and the Congressional hearing about the Obamacare website failure. It is really clear that the Federal Dept., CMS , was project manager and screwed it all up by bad testing of "end to end" data flow. As a former information systems auditor, they dropped the ball.
They also only allowed the last two weeks to test the system "end to end" by following data through all the different vendor and provider systems, when "months" were needed per vendors.
They also made last minute changes which then could cause security failures since security tests had been done before the changes, thus any changes could let external hacking to go on.
CMS also waited until two weeks before roll out to change the system so NOW the applicant had to supply personal info and register just to shop choices and prices, when Obama earlier promised they could compare choices without doing so.
The Democrats spent most time reading constituent letters and saying "let's fix it, not nix it" while Republicans focused on outing all the screwups (which is needed if you want to fix it).
Vendors hid behind CMS contract agreements and would not answer many direct questions about WHO told them to do or not do various things.
What a botch up, and it is clear CMS failed, didn't stand up for more testing needs, and political changes caused other problems.