In an exclusive interview with a former CGI Federal infrastructure engineer, and in related original documentation, The Bull Elephant has learned that the Obamacare website is a clear and present danger to the lives and privacy of all Americans. Not only was much of the programming work outsourced to India, but that programming was never done in the ways necessary to protect the personal information of American citizens.
The continued operation of healthcare.gov presents extreme risk of identity theft to its users, due to a combination of factors such as the outsourcing of development to foreign nationals, a consolidation of personally identifiable information (PII) in a known high-risk information security environment, cascading security risks to information stored in private and government databases, and the involvement of former ACORN operatives who have been recycled as Obamacare “navigators.” Some of these risks have already been confirmed in Congressional testimony. In addition, the initial project plan barely mentions security requirements at all, indicating that protection of personal information was at best an afterthought, and possibly not integrated into the development plan at all.
Scope of potential cascading effects of breaches of information security in healthcare.gov extends to many private and public sources. CLICK FOR LARGER VIEW. Source: CGI Federal’s project plan for the Obamacare Federal Exchange (FX).
Through information supplied to us by a former CGI Federal employee, we can confirm that some of the application development programming was definitely assigned to at least one programming team located in India. By offshoring this development, not only did the Obama administration contradict its own policy goals with regards to employment in the United States, but they incurred a highly elevated risk of rogue programmers inserting backdoors and other security-circumvention measures, as well as the risk of espionage by a foreign government. This method of outsourcing development has long been known to be an attractive target for hacking. Other developers were brought into the United States on H1-B visas, which are a longstanding magnet for employment fraud. An H1-B visa holder was the perpetrator in one of the most alarming acts of insider sabotage in recent history, which if successful had the potential to destroy the ability of Fannie Mae to operate. The utilization of non-American programmers by the U.S. government raises many important questions.
The combination of PII information and a high-risk security environment presents the risk that unknown persons may presently be able to access any and possibly all protected personal information being entered into healthcare.gov, not limited to what is supplied by the user, but also from a wide list of secure government databases including federal IRS, DHS, Social Security, VA, and Medicaid sources, as well as state sources such as DMV agencies. It cannot be ruled out that information on individuals who have not even used healthcare.gov is also being mined from these sources by rogue actors. There are already several known instances – such as this particularly alarming report – of individuals who have had their personal information stolen after using the site. There are many plausible scenarios of information being deliberately mined, or accidentally exposed by poor development practices.
Former ACORN operatives – an organization caught red-handed in systematic fraud with specific respect to government programs, so much so that the organization itself was dissolved after the public revelation of these activities – have been recycled into Obamacare “navigators”. ACORN has a history of violating PII, most notoriously in giving protected voter information to convicts who were at the time still in jail on charges of identity theft. As the navigators are drawn largely from the same body of unrepentant actors, it appears to be a safe assumption that there will be widespread fraud in Obamacare as well due to the involvement of these individuals and the ringleaders who organize them. Indeed, just the other day a director from Enroll America – a non-profit group dedicated to enrolling individuals in Obamacare – was exposed in an attempt to illegally funnel private data for “election and political purposes”.
The following two images come from CGI Federal’s own project plan, and they represent the entirety of the references to security in the detailed project overview. As you can see, there is not much consideration of information security at all, and what little that is mentioned on the subject was not pursued, as the results testify. The green highlighting has been added to these images to emphasize how little consideration of information security went into the original project plan.
From CGI Federal’s Development Plan: Click for Larger View
From CGI Federal’s Development Plan: Click for Larger View
It is difficult to avoid the conclusion that healthcare.gov is an ongoing clear and present danger to the data security of the private and protected information of every single American. It is as a result of these risks and others that I hereby call on healthcare.gov to be shut down immediately until the security of this information can be assured at the same level that any private institution would be so required to insure, and the site is able to pass proper and thorough independent security review.
The Bull Elephant will be releasing additional evidence of the Obama administration’s dangerous incompetence in the coming days. Stay tuned.
