House Majority Whip Kevin McCarthy, R-Calif., falsely claimed Consumer Reports warned "Americans not to go to the [HealthCare.gov] website because of the fear of having fraud." The consumer advocate initially advised people to wait until the website's many technical problems were worked out, but it told us that its advice "was not in reference to any concerns regarding fraud."
House Republicans have repeatedly warned about the potential for fraud on the federal website and have accused the administration of failing to provide adequate protection against it. McCarthy's claim in a Nov. 19 House Republican press conference continued that line of attack.
McCarthy, Nov. 19: Consumer Reports, have you ever noticed Consumer Reports to recommend you not to go to a website? They recommend Americans not to go to the website because of the fear of having fraud.
In a blog posting on Oct. 8, Consumer Reports highlighted some of the technical problems consumers were facing trying to enroll in a plan on the federal site in the early days of the rollout. The state-run marketplaces seemed to be "running much more smoothly" than the ones run by the federal government, the report said. "If your state's marketplace enrollment goes through Healthcare.gov (here's our list of state marketplaces), your best strategy right now is to wait a couple of weeks and hope that the site irons out its many problems."
A week later, Consumer Reports provided some detailed tips on how to "get past the roadblocks'" on the site to register for insurance. After providing a handful of suggestions, the blog post concluded, "If all this is too much for you to absorb, follow our previous advice: Stay away from Healthcare.gov for at least another month if you can. Hopefully that will be long enough for its software vendors to clean up the mess they've made."
Never, however, did Consumer Reports advise people to stay off the site due to concerns about fraud.
We reached out to Consumer Reports for clarification, and it released this statement to FactCheck.org:
Consumer Reports statement, Nov. 19: A Consumer Reports blog from October advised consumers that they could wait a few weeks before visiting Healthcare.gov in order to give the government time to fix technical glitches on the site. That statement was not in reference to any concerns regarding fraud in the insurance marketplaces. Our advice to consumers looking to purchase health insurance remains the same now as it was then: The best place to buy coverage on your own is through the Health Insurance Marketplace in your state.
In fact, Consumers Union, the policy and advocacy division of Consumer Reports, issued a press release announcing the White House's "interagency initiative to protect consumers from being victims of fraud while using the upcoming Health Insurance Marketplaces, including a way for consumers to report fraud through the Marketplace call centers." In that release, the Consumer Union's director of health reform, DeAnn Friedholm, "praised the commitment to preventing fraud and taking action against those connected with scams, while reinforcing the need for education to help consumers avoid these pitfalls."
Despite detailing technical problems with the website, Consumer Reports has been generally supportive of the Affordable Care Act, as was made clear in an Oct. 21 blog posting that ran under the headline, "Obamacare opponents have misrepresented Consumer Reports' position: HealthCare.gov problems do not negate benefits of new health law."
Consumer Reports, Oct. 21: Pundits opposed to the new health care law and some media outlets have tried to suggest that our coverage of the troubled HealthCare.gov site means that Consumer Reports has turned against the Affordable Care Act.
Not true. Consistent with our mission to inform and protect consumers, particularly in this complicated health care market, our advice remains the same: The best place to buy coverage on your own is through the Health Insurance Marketplace in your state. That guarantees you will get comprehensive coverage, and it's the only way you can lower the cost of your premiums and possibly even your deductibles and copayments.
Doing that online in most states means registering at and shopping through the federal HealthCare.gov.
McCarthy's concerns about fraud have been echoed by numerous opponents of the Affordable Care Act. House Republican leaders have claimed, so far without much evidence, that the HealthCare.gov website was launched despite "serious security vulnerabilities," as the House Committee on Oversight and Government Reform put it in a Nov. 11 press release.
Republican concerns about security were stoked by a nine-hour interview the House oversight committee conducted on Nov. 1 with Henry Chao, the deputy chief information officer at the Centers for Medicare & Medicaid Services. Chao oversaw implementation of the website. At the interview, Chao was given a copy of a Sept. 3 CMS memo that, the committee press release said, confirmed "serious security vulnerabilities present in the Federal Facilitated Marketplaces." Chao told the committee that he was unfamiliar with the memo and he would "have to look into this," according to a partial transcript of his interview.
However, at a Nov. 13 oversight committee hearing, Chao told the committee that the Sept. 3 memo pertained to parts of the website that did not go live on Oct. 1 and still aren't active, so there is no security risk from any of the issues raised in that memo.
Republicans — led by Rep. Darrell Issa of California, chairman of the oversight committee — also have pointed to a Sept. 27 memo in which Chao and others wrote that the Security Control Assessment was "only partly completed" before the website went live.
In his Nov. 1 interview, Chao explained the phrase "only partly completed." He said MITRE Corp. was hired to conduct security assessments, but it was not asked to do end-to-end security testing of the website. That is, he said, the website was tested for security controls in three parts — but not all at the same time because of the complexity of the project. Chao said the website "passed all the security controls." He acknowledged that end-to-end testing would have been "ideal," but he also said "that almost never happens in any project that I have ever worked on in the 20 years I have been at CMS."
At a Nov. 19 hearing of the House Energy and Commerce Subcommittee on Oversight, David Amsler, president of Foreground Security Inc., one of the firms responsible for monitoring the website for malicious activity, was asked about the current security status of the website (beginning at about the 3:12:36 mark). Amsler said no website is fully secure. "Today I feel comfortable with the capabilities we have put in place. But I'm always striving for more." Maggie Bauer, senior vice president of Creative Computing Solutions Inc., which works with Foreground Security to monitor for cyber attacks, agreed. "The system is secure," she said.
Bauer also said (at about the 2:59:00 mark) that there have been cyber attacks, but nothing "out of the ordinary" since the website went live on Oct. 1.
In his opening statement to the committee, MITRE Senior Vice President Jason Providakes said his company is not in charge of the website's security and has "no view on the overall 'safety' or security status of HealthCare.gov." Asked if he would feel comfortable putting his personal information on the site, Providakes said in fact he had already done so. "I feel comfortable, personally," he said.