Associated Press Request For Documents Rejected By CMS

By Christine Kern, contributing writer

HealthCare.gov won't reveal records regarding security software on health website.

After promising not to withhold government information over "speculative or abstract fears," the Obama administration has concluded it will not publicly disclose federal records that could shed light on the security of the government's health care website because doing so could "potentially" allow hackers to break in.

Last year, the Associated Press made a Freedom of Information Act request for documents related to security software and computer systems associated with federal health care exchange website, but the Centers for Medicare and Medicaid Services rejected the request.

The AP requested the records late last year amid concerns that Republicans raised about the security of the website, which had technical glitches that prevented millions of people from signing up for insurance under Obamacare.

Authorities have refused to disclose the documents, citing concern that the information could be misused by hackers. CMS officials also denied the request in the face of concerns raised by Republicans regarding the security issues of the website. The website faced technical glitches due to which a number of people could not be enrolled for insurance under ObamaCare.

According to AP reports, CMS stated that publicizing the documents would break health-privacy laws and could potentially provide enough information for hackers to breach data. After considering all these factors, it was decided that not revealing the information would be better, said CMS spokesman Aaron Albright.

"We concluded that releasing this information would potentially cause an unwarranted risk to consumers' private information," CMS spokesman Aaron Albright said in a statement.

The AP wants the government to reconsider. In 2009, Obama instructed federal agencies not to keep information confidential "merely because public officials might be embarrassed by disclosure, because errors and failures might be revealed, or because of speculative or abstract fears." Yet the decision not to release the security information regarding HealthCare.gov is based upon speculation that disclosing the records could possibly, but not assuredly or even probably, give hackers the keys they need to intrude.

Yet, even when the government concludes that records can't be fully released, Attorney General Eric Holder has the power to direct agencies to reveal portions of the files, with sensitive passaged redacted CMS has insisted that it will not release any parts of any of the records.

The government's decision highlights problems as it grapples with a 2011 Supreme Court decision that significantly narrowed a provision under open records law that protected an agency's internal practices. Federal agencies have tried to use other, more creative routes to keep information censored.

"Here you have an example of an agency resorting to a far-fetched privacy claim in an unprecedented attempt to bridge this legal gap and, in the process, making it even worse by going overboard in withholding such records in their entireties," said Dan Metcalfe, a former director of the Justice Department's office of information and privacy who's now at American University's law school.

Keeping details about lockdown practices confidential is generally derided by information technology experts as "security through obscurity." Disclosing some types of information could help hackers formulate break-in strategies, but other facts, such as numbers of break-ins or descriptions of how systems store personal data, are commonly shared in the private sector. "Security practices aren't private information," said David Kennedy, an industry consultant who testified before Congress last year about HealthCare.gov's security.