ACA Health Exchange Contractors Have History of Security Failures 144
Lucas123 writes "Two of the contractors involved in developing online health insurance exchanges under the Affordable Care Act, which have been plagued by technical problems since launching this month, have had serious data security issues in the past. Quality Software Services developed the software for the Affordable Care Act's data services hub and oversaw development of tools to connect the hub to the databases of other federal agencies. Last June, an audit report by the Health and Human Services Inspector General found QSS failed to adhere to federal security standards (PDF) in delivering IT testing services for the Centers for Medicare & Medicaid Services. Additionally, services firm Serco suffered a major security breach in 2012. Serco won a five-year $1.3 billion contract to process and verify paper applications for health insurance via the online exchanges. Serco's breach exposed sensitive data of more than 123,000 members of the Thrift Savings Plan, a $313 billion retirement plan run by the U.S. Federal Retirement Thrift Investment Board. The exposed data included full names, addresses, Social Security Numbers, financial account information, and bank routing information."
Open Source It (Score:3, Interesting)
Re:Stop using contractors (Score:5, Interesting)
the biggest contractor, CGI Federal, was awarded its $94 million contract in December 2011. But the government was so slow in issuing specifications that the firm did not start writing software code until this spring. As late as the last week of September, officials were still changing features of the Web site.
If there is no specification then your going to get a crap product. If they started in Spring then there is no way they finished in time to do several months of testing, bug fixing, and regeressing testing.
Re:This is pathetic. (Score:4, Interesting)
On the other hand, how the fuck did we end up with this crap? You cannot roll out a project to millions of users this quickly and without adequate load testing.
The did adequate load testing. The testing results said the site would fail under load. [washingtonpost.com] They released it anyway. The flaws are there, but they were not in the testing.