Interesting article on the ACA fiasco.
Nearly 20 million Americans have now experienced the broken Obamacare website first hand. But Ben Simo, a past president of the Association for Software Testing, found something more than a cumbersome login or a blank screen—clear evidence of subpar coding on the site.
In mid-October, he went to Healthcare.gov to help a family member get insurance, only to find his progress blocked. When he investigated the cause, he discovered that one part of the website had created so much “cookie” tracking data that it appeared to exceed the site’s capacity to accept his login information. That’s the mark of a fractured development team.
Even more alarming were the security flaws. An error message from the site relayed personal information over the internet without encryption, while the email verification system could be bypassed without access to the email account. Both security vulnerabilities could be exploited to hijack an account. “Because this is a huge system that people are mandated by law to use, the standard should be higher,” says Simo. “People are going to see it as a high value target.”
At the time, President Obama was still arguing that the main culprit for the breakdowns was the popularity of the site. “The website got overwhelmed by the volume,” he said on Oct. 4. The reality, of course, was far more dire.
The basic architecture of the site, built by federal contractors overseen by the Department of Health and Human Services, was flawed in design, poorly tested and ultimately not functional. “You need there to be good people on the inside to make good contracting decisions and good people on the outside to do the work,” explained Clay Johnson, a Democratic technology consultant who recently worked as a White House fellow. “Right now, it’s the blind leading the blind.”
Even on the back end of the site, data was garbled and, in some cases, unusable. The nightly reports that insurance companies receive from the federal government on new enrollees in the health plans have been riddled with errors, including syntax mistakes, and transposed or duplicate data, according to industry veterans. In other cases, insurers received multiple enrollments and cancelations from the same person, but since the documents lacked timestamps, it has been impossible to know which form is the most recent. Companies have resorted to contacting enrollees directly to get answers, a solution possible only because so few have been able to sign up. ”We are seeing and hearing that enrollment files going to carriers are incomplete, there are errors,” said Dan Schuyler, a director of exchange technology at Leavitt Partners, a firm that consulted with several states in setting up their websites. “In three weeks or so when they start receiving these in mass volume, tens of thousands per day, it doesn’t matter if there’s a 1 percent error rate. Insurers don’t have resources to go through them and clean them up.”
For his part, Simo tried to report the security vulnerabilities he found by contacting an online operator at the Department of Health and Human Services. But he has little hope that his message will get to the right people. The operator seemed confused about what to do with the information. After a half hour of delay, Simo was told his complaints would be forwarded the Federal Trade Commission, an agency that typically investigates consumer complaints, who would contact law enforcement as necessary.