HEALTH EXCHANGE SECURITY AND TRANSPARENCY ACT OF 2014; Congressional Record Vol. 160, No. 6
(House of Representatives - January 10, 2014)

Text available as:

Formatting necessary for an accurate reading of this text may be shown by tags (e.g., <DELETED> or <BOLD>) or may be missing from this TXT display. For complete and accurate display of this text, see the PDF.


[Pages H139-H150]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




         HEALTH EXCHANGE SECURITY AND TRANSPARENCY ACT OF 2014


                             General Leave

  Mr. PITTS. Mr. Speaker, I ask unanimous consent that all Members may 
have 5 legislative days to revise and extend their remarks and to 
include extraneous material on H.R. 3811.
  The SPEAKER pro tempore (Mr. Collins of Georgia). Is there objection 
to the request of the gentleman from Pennsylvania?
  There was no objection.
  Mr. PITTS. Mr. Speaker, pursuant to House Resolution 455, I call up 
the bill (H.R. 3811) to require notification of individuals of breaches 
of personally identifiable information through Exchanges under the 
Patient Protection and Affordable Care Act, and ask for its immediate 
consideration in the House.
  The Clerk read the title of the bill.
  The SPEAKER pro tempore. Pursuant to House Resolution 455, the bill 
is considered read.
  The text of the bill is as follows:

                               H.R. 3811

         Be it enacted by the Senate and House of Representatives 
     of the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

         This Act may be cited as the ``Health Exchange Security 
     and Transparency Act of 2014''.

     SEC. 2. NOTIFICATION OF INDIVIDUALS OF BREACHES OF PERSONALLY 
                   IDENTIFIABLE INFORMATION THROUGH PPACA 
                   EXCHANGES.

         Not later than two business days after the discovery of a 
     breach of security of any system maintained by an Exchange 
     established under section 1311 or 1321 of the Patient 
     Protection and Affordable Care Act (42 U.S.C. 18031, 18041) 
     which is known to have resulted in personally identifiable 
     information of an individual being stolen or unlawfully 
     accessed, the Secretary of Health and Human Services shall 
     provide notice of such breach to each such individual.

  The SPEAKER pro tempore. The gentleman from Pennsylvania (Mr. Pitts) 
and the gentleman from New Jersey (Mr. Pallone) each will control 30 
minutes.
  The Chair recognizes the gentleman from Pennsylvania.
  Mr. PITTS. Mr. Speaker, I yield myself such time as I may consume.
  Mr. Speaker, in the days leading up to Christmas, hackers stole 
millions of credit card numbers from the servers of retail giant 
Target. I imagine that at least a few here in this Chamber may have had 
their own credit cards replaced to prevent theft.
  What if Target had not bothered to tell anyone?
  What if they had waited until people noticed fraudulent charges 
popping up on their statements? The damage would certainly be worse.
  It may shock some people to learn that there is no legal requirement 
that the Department of Health and Human Services notify an individual 
if his or her personal information is breached or improperly accessed 
through the Affordable Care Act's exchanges.
  While HHS has said that it will notify individuals in such a case, 
the American people have a right to know that their government is 
required by law to contact them if their personal information is 
compromised.
  H.R. 3811, the Health Exchange Security and Transparency Act, would 
simply ensure Americans receive notification from HHS when their 
personally identifiable information has been compromised through the 
exchanges. Specifically, the bill requires HHS to notify individuals no 
later than two business days after discovery of a breach of an exchange 
system.
  Since the disastrous rollout of the healthcare.gov Web site, 
congressional oversight has uncovered that end-to-end security testing 
of healthcare.gov did not occur before the October 1 launch, and that 
high-ranking administration officials were told of the security risks 
before the Web site went live.
  Teresa Fryer, the chief information security officer for the agency 
running the exchange system, even stated in a draft memo that the 
Federal exchange ``does not reasonably meet security requirements'' and 
``there is also no confidence that personal identifiable information 
will be protected.''
  A recent article in Information Week discussed a report released by 
Experian entitled ``2014 Data Breach Industry Forecast,'' which stated 
that ``the health care industry, by far, will be the most susceptible 
to publicly disclosed and widely scrutinized data breaches in 2014.''
  According to Information Week, the author of the study said he is 
basing this prediction at least partly on reports of security risks 
posted by the healthcare.gov Web site and the health insurance 
exchanges established by various States. The Web infrastructure to 
support health insurance reform was ``put together too quickly and 
haphazardly.''
  The most glaring problem for these sites has been their inability to 
keep up with consumer demand. The organizational infrastructure behind 
the implementation of ObamaCare is also complex, meaning that many 
parties have access to the personal data and could misuse or mishandle 
it.

       So we have volume issues, security issues, multiple data 
     handling points, all generally not good things for protecting 
     protected health information and personal identity 
     information.

  Given the lack of security testing and the risk associated with 
healthcare.gov, and the administration's repeated misrepresentation of 
the Web site's readiness and functionality, H.R. 3811 is a reasonable 
step to ensure Federal officials are required to notify individuals in 
case of a breach.
  Mr. Speaker, I reserve the balance of my time.
  Mr. PALLONE. Mr. Speaker, I yield myself such time as I may consume.
  First of all, Mr. Speaker, I want to point out that Republicans are 
using

[[Page H140]]

out-of-context quotes from an administration, or from administration 
officials, to mislead the public about the security of healthcare.gov, 
the Web site.
  The same official they keep quoting went on to say:

       The added protections that we have put into place are best 
     practices above and beyond what is usually recommended. And 
     no Web site is 100 percent secure. But this effort to scare 
     people from signing up for coverage is simply wrong.

  Mr. Speaker, I am afraid the bill before the House today is simply an 
effort by Republicans to continue to impede the efforts of implementing 
the Affordable Care Act by instilling misinformation and fear in the 
American public. It is an egregious bill that would, in my opinion--let 
me point this out, Mr. Speaker. Yesterday, I was in the Rules 
Committee, and I pointed out that, to some extent, I was pleased, I 
guess, that I don't see the Republicans actually coming to the floor 
today to act on another repeal or outright repeal of the Affordable 
Care Act. I mean, we are not seeing that. We didn't see it in Rules. 
And hopefully, I will say to my colleague, the chairman of the Health 
Subcommittee, that we don't see it again, either in the committee, in 
Rules, or on the floor.
  So maybe there is some progress here, and at least the Republicans 
are not out there trying to repeal the Affordable Care Act anymore--at 
least I hope so.
  But they are now moving to these other methods of trying to put fear 
in the public so that they don't sign up or they don't go on the Web 
site. And the fact of the matter is that these security measures that 
they are talking about are addressing a reality that is not there.
  Do I think that security measures are critical for the Web site?
  Yes, absolutely. But let's recap the last few years since the ACA 
passed. Republicans claim the ACA kills jobs; but since the law has 
passed, we have added nearly 8 million jobs.
  Republicans claim that the ACA causes health costs to increase, but 
the last 4 years we have seen the slowest health care cost growth in 50 
years.
  Republicans claim we need to address the deficit; yet they repeal the 
law at every turn, which increases the deficit by over $1.5 trillion.

  Well, now they say that healthcare.gov is going to result in 
widespread breaches of people's personal information, and that is 
simply not true. There have been no successful security attacks on 
healthcare.gov, and no one has maliciously accessed personal 
information.
  No Web site, public or private, is 100 percent secure, but 
healthcare.gov is subject to strict security standards. It is 
constantly monitored and tested, and its security and privacy 
protections go beyond Federal IT standards.
  And the Health and Human Services Department has standards in place, 
just like every other government agency, to notify individuals if their 
personal information is breached.
  So, Mr. Speaker, it is important that I note for everyone that House 
Democrats have always previously supported legislation to require 
consumer notification in the event of a breach of government and 
private sector computer systems. We still do.
  By expressing concern for the mockery of this bill, it does not mean 
that I don't support requiring the administration to notify individuals 
of breaches of their information, but this not is a serious effort to 
strengthen privacy laws or to strengthen the health care Web site.
  The Republican strategy is to scare people away from going to the Web 
site and signing up for health care, and I urge Members and the 
American public, do not be fooled by what they are doing.
  It is a good thing that they are not seeking to outright repeal the 
Affordable Care Act anymore, at least that appears to be the case, 
based on what happened in Rules the other night. But that doesn't mean 
that they are not going to continue with these efforts to try to make 
hay over security and other matters.
  And I can't stress enough that every one of the scare tactics they 
use, whether it is saying that the ACA is going to increase the 
deficit, which it doesn't, it actually decreases the deficit; or 
whether they say that it is going to increase health costs, which we 
know it doesn't, it actually decreases health costs.
  This is just another one of those scare tactics. And I just hope that 
my colleagues, both Democrats and Republicans, are not fooled by this.
  Mr. Speaker, I reserve the balance of my time.
  Mr. PITTS. Mr. Speaker, at this time I am pleased to yield 2 minutes 
to the gentleman from California (Mr. Issa), the distinguished chairman 
of the Oversight and Government Reform Committee.
  Mr. ISSA. Mr. Speaker, famously, Franklin Delano Roosevelt said, We 
have nothing to fear but fear itself. That is not true here and, sadly, 
the last speaker is entitled to his opinion, but the facts do not bear 
out his conclusions.
  The truth is that actual interviews and depositions taken of the 
highest-ranking people that helped develop this Web site, both public 
and private, show there was no end-to-end testing. It did not meet the 
spirit of any definition of a secure Web site.
  In fact, the highest-ranking person, Teresa Fryer, on September 20, 
was unwilling to recommend this site go active, and said under oath 
that if it had been within her authority to stop it, she would have.
  It is very clear, even from the White House's statements in the last 
few days, that they claim to have mitigated or have a plan to mitigate 
significant security risks. The American people need to understand a 
plan to mitigate means they have not mitigated security risks.
  This is the situation we are in, in which no private sector company, 
including Target, would go live with a system that has known failures 
and unknown failures because of a failure to do end-to-end.
  All we are asking for is, since Secretary Sebelius, under oath, has 
been wrong on multiple occasions, I have called for her to make clear 
that she made false statements. The fact is what we need is a law that 
makes it clear that they should do the right thing, not say they have 
always done the right thing and they will do the right thing, because 
in the case of healthcare.gov, they launched a site that was neither 
functionally ready, nor had it been security tested, and it had known 
failures that were not mitigated prior to the launch.
  Those are the facts, Mr. Speaker, and I ask for support of this bill.
  Mr. PALLONE. Mr. Speaker, I yield 3 minutes to the gentlewoman from 
Colorado (Ms. DeGette).
  Ms. DeGETTE. Mr. Speaker, some mornings in Congress I wake up and I 
say, now here is a solution in search of a problem; and this morning is 
one of those days.
  We are hearing about how the Web site is not secure, how there can be 
security breaches. Ironically, we are hearing about security breaches 
with a private company, Target, and how terrible it is, and that is why 
we have to do a bill.
  But, in fact, we haven't seen any security breaches with 
healthcare.gov or the Web sites around the Affordable Care Act. And I 
want to stress that.

                              {time}  0930

  I am the ranking Democrat on the Oversight and Investigations 
Subcommittee of Energy and Commerce, and we have had a number of 
hearings, and we have had classified briefings. Here is some 
information that is not classified information.
  There has been not one successful hack into www.healthcare.gov. Let 
me say that again. Nobody has successfully been able to breach 
www.healthcare.gov. Furthermore, as we have recently learned in a 
briefing, www.healthcare.gov, interestingly, has not been targeted any 
more than any other Federal Web site for hackers.
  So why are we doing this bill? I have got to associate myself with 
Ranking Member Pallone's comments, that the only reason we could be 
doing this bill is to try to have a chilling effect against people 
signing up to get health insurance through the Web sites.
  Let me say it again. There have been no successful breaches of 
www.healthcare.gov.
  Now, if we really wanted to do a bill that would strengthen privacy, 
I would be all for that. I think that consumer privacy is one of the 
most important

[[Page H141]]

things we can do. But really, when you look at the details of this 
bill, there is nothing here that furthers consumer notification or 
consumer privacy.
  First of all, there is no exemption or consideration of law 
enforcement. What if law enforcement found a potential breach and 
needed to investigate it? What if they needed more than 48 hours to 
make sure that, in fact, there was a breach before they notified 
people? Consider the harm that would occur if law enforcement did not 
have enough time and resources to fully investigate a security breach 
before it went public. The consequences of hasty and incorrect 
notification could just make the problem worse.
  Secondly, based on how the bill is drafted, if there is a data breach 
in a State that has chosen to run its own exchange, like my home State 
of Colorado, HHS seems to bear an unnecessary burden of reporting the 
breach in the State exchange having nothing to do with the Federal 
exchange.
  Might I remind my colleagues, State exchanges are entirely 
independent from www.healthcare.gov. HHS does not run them. HHS did not 
build their Web sites, and HHS did not develop their security 
protocols. So why should HHS have to get involved in the State-run 
exchanges?
  The SPEAKER pro tempore. The time of the gentlewoman has expired.
  Mr. PALLONE. Mr. Speaker, I yield an additional 1 minute to the 
gentlewoman from Colorado.
  Ms. DeGETTE. So security for these State-based exchanges should be 
the responsibility of the States that are running them.
  I could go on and on. There are more problems with this bill than 
pages in the bill.
  So let's get real. Instead of bringing legislation like this to the 
floor without any committee action, why can't we sit down together in a 
bipartisan way and improve the way the Affordable Care Act works for 
our constituents? That is what our constituents want. They want 
affordable health insurance. They want health care. And they don't want 
unwarranted scare tactics and attacks. So let's sit down. Let's work 
together. Let's fix this legislation. And let's get real.
  Mr. PITTS. Mr. Speaker, I am pleased, at this time, to yield 2 
minutes to the distinguished gentlelady from Tennessee (Mrs. Black), 
who is an expert on this issue.
  Mrs. BLACK. Mr. Speaker, I rise today in support of this legislation 
to provide basic diligence to the Federal ObamaCare exchange.
  If someone's personal information has been breached, the Federal 
Government should be accountable and be required to notify them so that 
they can protect themselves from either identity theft or cyber 
threats.
  This is common sense, as data breach notification is required on most 
of the State-run exchanges, and there are laws that require 
notification by private businesses as well. Yet, when HHS was asked to 
insert notification provisions into the final rule for ObamaCare, they 
specifically declined to do so. This is an astonishing failure on the 
part of the administration though, sadly, characteristic of how they 
have proceeded at every turn with implementation of this train wreck 
legislation.
  www.healthcare.gov has been described by former Social Security 
Administrator Michael Astrue as a ``hacker's dream,'' and last month, 
HHS reported that there had been 32 security incidents since its 
launch. The Federal exchange potentially puts at risk Americans' names, 
addresses, phone numbers, dates of birth, email addresses, and even 
Social Security numbers.
  Last month, I introduced similar data breach notification 
legislation, and I am pleased to join my House colleagues now to pass 
this important bill.
  Mr. Speaker, I can't imagine explaining to my constituents that I 
voted against this commonsense measure to protect hardworking Americans 
from identity theft and cyber attacks, and this is why I urge my 
colleagues to support this bill.
  Mr. PALLONE. Mr. Speaker, I yield 3 minutes to the gentleman from 
Maryland (Mr. Cummings), the ranking member of the House Committee on 
Oversight and Government Reform.
  Mr. CUMMINGS. Mr. Speaker, I thank the distinguished gentleman from 
New Jersey for yielding.
  I would like to make two very, very simple points.
  First, the Affordable Care Act is working. Hello. It is working. It 
went into full effect, if you didn't know, on January 1, and now 
millions of people--millions--are getting health insurance that they 
didn't have before.
  Imagine what this means to families. Not only are they receiving 
critical medical care, but they have the security of knowing they will 
not go bankrupt if they get into an accident or they get sick. That is 
major.
  The law also put in place key protections for consumers. Insurance 
companies are now prohibited from discriminating against people with 
cancer, diabetes, or other preexisting conditions. Some young people in 
my district said, Well, Congressman, I am not worried about preexisting 
conditions. I told them, You just keep on living. Insurance companies 
may not charge higher prices for women, and millions of people are now 
receiving free preventative care.

  There are also huge financial benefits. Health insurance companies 
are sending rebate checks to millions of people. Since the law was 
passed, we have seen the lowest growth in health care costs in 50 
years; and if we repealed the law today, it would increase our deficit 
by more than $1.5 trillion.
  Despite all these positive results, Republicans are still obsessed 
with killing the law. Since they cannot do it legislatively, they have 
shifted to a different tactic--scaring people away from the Web site.
  So my second point is this. There have been no successful security 
breaches of www.healthcare.gov. Let me say that again. There have been 
no successful security breaches of www.healthcare.gov. Nobody's 
personal information has been maliciously hacked.
  All week, Republicans have been trying to make their case for this 
bill by quoting from a memo drafted by the chief information security 
officer at CMS about concerns before the Web site was launched, but 
they omit one critical fact: this official never sent the memo. It was 
a draft. And she never gave it to anyone, including her own supervisor. 
How do we know this? Because she was interviewed by the Oversight 
Committee by both Republican and Democratic staff weeks ago.
  The SPEAKER pro tempore. The time of the gentleman has expired.
  Mr. PALLONE. I yield the gentleman from Maryland an additional 1 
minute.
  Mr. CUMMINGS. And she told us this herself.
  Her draft memo did not take into account mitigation strategies put in 
place in the days that followed. Importantly, she also told the 
committee that she is satisfied with the security testing being 
conducted. When asked to describe the security measures now in place, 
she called them, ``best practices above and beyond what is usually 
recommended.''
  These are important facts for the American people to know, but the 
Republicans disregard them and omit them because they want to undermine 
their claims.
  Many of us would support efforts to strengthen requirements for the 
entire Federal Government and private sector to notify consumers of 
breaches, but today's bill does not do that. Today's bill is the latest 
attempt to attack the Affordable Care Act and deprive millions of 
Americans of the health care they deserve.
  Mr. PITTS. Mr. Speaker, at this time, I am pleased to yield 1 minute 
to the gentleman from California, Kevin McCarthy, the distinguished 
whip of the House.
  Mr. McCARTHY of California. Mr. Speaker, I rise today in support of 
the Health Exchange Security and Transparency Act. The reason why we 
are passing this important legislation today is that credible and 
documented fears have been raised that this hastily constructed 
ObamaCare exchange Web site could jeopardize the security of our most 
sensitive personal information.
  One of the many reasons so many worry about ObamaCare is that it 
injects government and government bureaucrats into the most personal 
sphere of our lives, our health care, in new and alarming ways. Nothing 
could turn a life more upside down quickly than identity theft. It is 
our duty, as Members of Congress, to do everything

[[Page H142]]

in our power to protect and inform Americans about these potentially 
devastating events.
  I am confident that this concern is one of the law's most negative 
consequences that both sides of the aisle can come together and agree 
must be addressed. Absent its full repeal, instilling this type of 
transparency and accountability into ObamaCare is a worthy first step. 
I urge my Democratic friends to join with us today.
  Mr. PALLONE. Mr. Speaker, I yield myself such time as I may consume.
  Mr. Speaker, Republicans continue to attack the Web site, 
www.healthcare
.gov, and this attack on the security of the Web site is just the 
latest in a long line of scare tactics attempting to limit enrollment 
and coverage under the ACA.
  It just bothers me so much because, as you know now, we have about 6 
million people who have obtained coverage, 2.1 million receive private 
insurance through the Web site, and things really are moving now in 
terms of more and more people signing up and getting coverage.
  I just wish that, rather than using scare tactics and trying to talk 
about security concerns that don't exist, they would focus and work 
with us at actually trying to sign people up to get people to have 
health insurance, which is the goal, of course, of the Affordable Care 
Act.
  The bill suggests that there are serious security problems with 
www.healthcare.gov, but this unique requirement doesn't apply to other 
government Web sites or to private Web sites. Under the bill, HHS is 
required to notify individuals within 2 business days if their 
personally identifiable information is known to be stolen or unlawfully 
accessed from a marketplace computer system. If this is a good idea, 
then why is the GOP bill limiting this requirement to only marketplace 
Web sites? It is just a missed opportunity.
  Democrats firmly support strong data security and breach notification 
legislation. If the Republicans were serious about the security of 
personally identifiable information on the Web, instead of bringing up 
this bill, they could have reached out to Democrats and developed a 
bipartisan bill.
  Indeed, when Democrats were in the majority, the Democrat-run House 
passed bipartisan legislation to provide for consumer notification in 
the event of a breach, which was introduced in the previous Congress. 
And the Republicans are still playing political games. If they want to 
work with us to bring to the floor serious bipartisan data security 
breach notification legislation, then they should simply do it.
  In the Rules Committee the other day, one of the members asked, on 
the Republican side, if the administration has a position on the bill. 
And the administration clearly opposes the bill. They put out an SAP 
which states:

       The Administration believes Americans' personally 
     identifiable information should be protected wherever it 
     resides, and that all Americans deserve to know if that 
     information has been improperly exposed . . . The Federal 
     Government has already put in place an effective and 
     efficient system for securing personally identifiable 
     information in the Health Insurance Marketplaces.

  So they oppose the passage of this bill.
  I just wish I could convince my colleagues--again, I am happy that 
this is not an outright repeal and that we are not wasting time on 
that, but we are still wasting time with this notion of the security 
breach that hasn't happened when security measures are already in 
place.
  Again, this is being brought up in the first week we are back with no 
effort to reach out to us in any way to try to deal with this. It has a 
2-day notification requirement, which is simply not workable.
  I cannot stress enough that we, as Democrats, would like to address 
this issue, but it is not being addressed. It is just being done as a 
way of trying to scare the public from signing up on the Web site, 
which is so unfortunate because people want to sign up. They shouldn't 
be in fear that, if they sign up, somehow there is going to be a 
security breach.
  I reserve the balance of my time.

                              {time}  0945

  Mr. PITTS. Mr. Speaker, at this time, I am pleased to yield 4 minutes 
to the gentleman from Florida (Mr. Bilirakis), a distinguished member 
of the Health Subcommittee.
  Mr. BILIRAKIS. Thank you, Mr. Chairman. I appreciate it very much.
  Mr. Speaker, I rise today in support of the Health Exchange Security 
and Transparency Act. I am pleased to be an original cosponsor of this 
legislation, and I am glad we are addressing this very important issue 
on the House floor today.
  Each day, I hear from constituents in Florida's 12th Congressional 
District who are experiencing the negative impacts of ObamaCare. 
Contrary to the very promises the law was sold on, my constituents have 
lost their health care coverage, have seen their premiums rise, and 
were forced to choose new doctors. Now they are faced with concerns 
regarding their personal information and whether it is compromised--all 
because the President's signature law was never really ready for prime 
time.
  The Energy and Commerce Committee, which I am a member of, has held 
numerous hearings into the failed Web site and the lack of testing that 
occurred to ensure the Web site was properly secured.
  In these hearings, we have learned that 30 to 40 percent of the Web 
site isn't built; end-to-end security testing wasn't performed; and 
CMS' own chief security information officer recommended against an 
Authority to Operate because of cybersecurity concerns.
  Her memo even stated:

       There is no confidence that personally identifiable 
     information will be protected.

  It was the administrator of CMS, not that chief information officer, 
that signed off on the ATO.
  Mr. Speaker, does this sound like a safe and secure Web site? 
Millions of Americans were forced to sign up for the exchanges in order 
to avoid individual mandate fines. And now each of these individuals, 
including myself and many in this Chamber, are potential victims of 
identity theft.
  While privacy in the health care realm is typically protected by 
HIPAA, it does not apply to HHS or the federally run exchanges. 
Furthermore, data notification is critical to maintaining security, and 
individuals should be notified when their personal information could be 
compromised. Yet, in the final rules HHS published in August, it did 
not finalize a data breach notification rule. Instead, it stated that 
it is up to ``CMS to determine whether a risk of harm exists and if 
individuals need to be notified.''
  A government bureaucrat, Mr. Speaker, should not be given the power 
to determine whether the loss of personally identifiable information 
constitutes harm. We do not know how many breaches have occurred on 
healthcare.gov, whether due to the accidental sharing of information or 
otherwise, because there is currently no public disclosure requirement. 
The Health Exchange Security and Transparency Act will bring 
accountability and transparency to the administration and the health 
care exchanges.
  I strongly urge my colleagues in the House to support this bill 
today, and I urge all, of course, our colleagues in the Senate to 
swiftly take up this bill so that we may pass it into law.
  Mr. PALLONE. Mr. Speaker, I yield such time as he may consume to the 
gentleman from California (Mr. Waxman), ranking member of the Energy 
and Commerce Committee.
  Mr. WAXMAN. The previous speaker in this debate said that we don't 
know how many times there was a breach of security on the health care 
Web site. Well, we do know how many breaches of security there were, 
how many successful attacks there were--zero. There have been no 
successful breaches of healthcare.gov.
  Mr. Speaker, since October 1, more than 6 million Americans have 
signed up for health insurance--6 million. Four million are enrolled in 
Medicaid, 2 million in private coverage. Any way you look at it, that 
is good news.
  Now Republicans seem eager to find some bad news. They want to keep 
talking about Web site problems and stir up phony fears that personal 
information is not secure on this site. They are looking for the bad 
news because the facts are against them.
  Republicans said the Affordable Care Act would kill jobs. We hear it 
over and over again--kill jobs. Since the law was passed, we have added 
nearly 8 million jobs. Republicans said this law

[[Page H143]]

would cause health care costs to skyrocket, but we have had 4 straight 
years of the slowest health care cost growth in 50 years. Republicans 
said the ACA would explode the deficit, but repealing the law, which 
they have tried to do over 40 times on the floor, would increase the 
deficit by over $1.5 trillion.
  So, today, House Republicans are resorting to scare tactics. They are 
bringing up a poorly thought-out bill based on the false premise that 
healthcare.gov is not secure. The truth is--I will say it again--there 
have been no successful security attacks on healthcare.gov.
  Now, while no site, public or private, is 100 percent secure, 
healthcare.gov is subject to strict security standards, it is 
constantly monitored and tested, and it has procedures in place to 
notify consumers in the event of a breach. We can't say the same thing 
for private Web sites. We all heard about Target having their Web site 
attacked successfully. No one is asking that they make disclosures.
  In fact, Mr. Speaker, this is not a serious attempt to address this 
issue because it doesn't set any standards on private insurance 
companies. Private insurance companies hold far more private data than 
the exchanges.
  Mr. Speaker, as chairman, I worked on bipartisan legislation to set 
tough data privacy and security standards on government and private 
sector computer systems. House Democrats have supported these efforts, 
but this bill is not serious. Did you know this bill was never even 
considered in committee? It doesn't allow for any delay in reporting to 
protect ongoing law enforcement investigations. The bill creates a host 
of technical and administrative problems.

  This is purely a message bill. That is all we do these days. In 
between recesses, we have message bills on the floor of the House, and 
we get nothing done. This is purely a message bill, and the message is 
one that is designed to mislead. I urge a ``no'' vote.
  Mr. PITTS. Mr. Speaker, at this time, I am pleased to yield 1 minute 
to the gentleman from Virginia, Eric Cantor, our distinguished majority 
leader.
  Mr. CANTOR. I thank the gentleman from Pennsylvania.
  Mr. Speaker, I want to rise in support of the Health Exchange 
Security and Transparency Act. If I could just take a few seconds to 
respond to the allegations put forward by the gentleman from 
California, the ranking member on the Energy and Commerce Committee, I 
want to just make a point, Mr. Speaker. There is a real difference 
between users of a retailer's Web site and users of healthcare.gov 
because those who choose to go on the Web site of a retailer in the 
private sector do so at their choice.
  The people of this country, all of the American people now, if they 
go to healthcare.gov, they are being forced to go to healthcare.gov, 
and so for the gentleman to sit here and say, well, we don't require 
this out of the other industries, banks or anything else, I would beg 
to differ. There are certainly requirements in law and duties owed by 
banks to their shareholders, customers and the rest, but I would say to 
the gentleman, this is a situation where the law at hand is requiring 
individuals--mandating them--to go to this site.
  So contrary to the allegations made by the gentleman, what this bill 
does is it just requires the administration to provide 48 hours' notice 
after a breach of health care information or financial data. All it 
says is the administration has to let victims of identity theft or 
information theft be notified. That is it. This is a good government 
bill. Why do we want to wait until there is a data breach?
  I would ask the gentleman to look to a quote by CMS' own chief 
information security officer, Teresa Fryer. She said that the Federal 
exchange ``does not reasonably meet security requirements.'' That is 
what the chief cybersecurity officer at the agency says, the exchange 
``does not meet security requirements.''
  Now, the Experian credit bureau said:

       The health care industry, by far, will be the most 
     susceptible to publicly disclosed and widely scrutinized data 
     breaches of 2014.

  If we know this, why wouldn't we take precautions to help people? 
That is all this bill does. It says if there is a risk of data breach, 
we should afford people the opportunity to take corrective action 
immediately. That is it. There is no message in there. This is just 
trying to help people.
  So I would say to the gentleman, if he would just set aside the 
partisan attacks for once, let's help people. Let's go about the way we 
should be in putting people first here. We disagree on this law in 
requiring health care the way government says we should require, yes, 
but I think we can all agree we want to help people, and we want to 
make sure that they can keep their information safe. That is all this 
bill is about.
  So I want to thank Chairman Fred Upton, Chairman Joe Pitts, and the 
members serving on the committees who have been conducting oversight on 
the issue for the past year, including the Science Committee, the 
Homeland Security and the Oversight and Government Reform Committees. 
Congresswoman Diane Black, certainly the gentleman from Florida, Gus 
Bilirakis, and Representative Kerry Bentivolio have all worked hard on 
this issue. I commend them for their efforts to just help people for 
once.
  With that, I urge adoption and passage of the bill.
  Mr. PALLONE. Mr. Speaker, I yield such time as he may consume to Mr. 
Waxman.
  Mr. WAXMAN. Well, thank you for yielding. I am not going to take that 
much time, but I do want to respond to the comments that were just made 
on the House floor.
  No one is forced to go on this Web site. No one is forced to buy 
their insurance by going on the Web site. They could go to brokers. 
Once you sign up for insurance, whether it is public or private, your 
information is in their Web. It is in their computer system. That is 
true for private insurance. Does this bill do anything about breaches 
of private insurance? No.
  Now, the majority leader used a quote from someone in the 
administration, I think, to mislead the public about the security of 
healthcare.gov, but that same official said at the end of that quote, 
The added protections that we have put into place are best practices 
above and beyond what is usually recommended.
  No Web site is 100 percent secure, but this effort to scare people 
from signing up for coverage is wrong. If we do care about breaches in 
security, it ought to apply to private and public insurance, not just 
when you sign up, but when they hold your data.
  Mr. PITTS. Mr. Speaker, at this time, I am pleased to yield 3 minutes 
to the gentleman from Michigan (Mr. Upton), the distinguished chairman 
of the Energy and Commerce Committee.
  Mr. UPTON. Mr. Speaker, I rise in strong support of this legislation, 
H.R. 3811, the Health Exchange Security and Transparency Act of 2014.
  Security and transparency are both critically important to every 
American, and the public expects and deserves to have them both when it 
comes to health care.
  Sadly, I believe the administration has failed to deliver. This 
important bill seeks to provide peace of mind to folks in Michigan and 
across the country who have submitted personal information to a Federal 
health insurance exchange. Americans have the right to know in the 
event that their sensitive personal information provided to an exchange 
is compromised, especially as it is the law's individual mandate that 
forces them to purchase the government-approved health care coverage. 
Why wouldn't we want the public to know and be alerted right away?
  Just this morning on CNBC's ``Breaking News,'' the CEO of Target 
apparently is indicating that as many as 70 million Americans--their 
customers--may have had their private information stolen. Would it have 
been right for Target just to sit on that information? Or was it 
appropriate for them to try and put the word out so that at least the 
consumers would have the right information?

                              {time}  1000

  Let me tell you what this bill does. It is a commonsense bill. It is 
going to require that the administration promptly inform individuals 
within 2 business days if their personal information has been stolen or 
unlawfully accessed through an exchange. Through the Energy and 
Commerce Committee's thoughtful oversight, we have uncovered troubling 
information regarding

[[Page H144]]

the security of the health insurance exchanges. What this bill does is 
preventive medicine. Do we want to wait until the horse is out of the 
barn before we take action? I don't think so.
  We found that the administration did not perform a full security 
control assessment before healthcare.gov opened for business on October 
1. We have also learned that just days before healthcare.gov went live, 
senior officials at HHS expressed serious concerns regarding the 
protection of personally identifiable information that was entered into 
their Web site.
  These facts, on top of the fact that the administration has 
repeatedly misrepresented the functionality and the readiness of the 
health care law, raise significant questions regarding the security of 
healthcare.gov and the information available in the exchanges.
  A few weeks ago, the administration was willing to let millions of 
Americans lose their health insurance, despite the President's solemn 
promise that they could keep their health plan if they liked it; and it 
took the House, acting in a bipartisan legislative manner, for the 
administration to confess that, yes, they had broken their promise.
  Now the administration is saying it opposes this requirement that it 
notify Americans when personal information is stolen.
  The SPEAKER pro tempore. The time of the gentleman has expired.
  Mr. PITTS. I yield an additional 30 seconds to the gentleman.
  Mr. UPTON. So the self-proclaimed, most-transparent administration in 
history has come out against transparency. I am sorry Republicans and 
Democrats may disagree on the merits of the President's health care 
law, and we do; but I think that we should all agree that Americans 
deserve to be notified if that personal information is put at risk by 
the law.
  I want to thank Chairman Pitts for putting security and transparency 
above politics, and I would urge my colleagues in a bipartisan way to 
support this bill this morning.
  Mr. PALLONE. Mr. Speaker, I yield 2 minutes to the gentleman from New 
York (Mr. Crowley), the vice chair of the Democratic Caucus.
  Mr. CROWLEY. I thank my friend from New Jersey for yielding me this 
time.
  Mr. Speaker, there are so many truly pressing issues facing our 
Nation, so it is a shame that we are here once again wasting time on 
legislation like this. It doesn't even solve the issues the Republicans 
claim they are trying to address. The truth is, the bill we are 
considering today is far from a productive answer to anything. It is 
just yet another scare tactic to discourage people from obtaining 
health care--that is right. Here is a news flash for you: Republicans 
want to stop people from attaining health care.
  I don't think why we should expect anything else from a party with 
such little vision. Instead of creating opportunity, they have become 
the party that shuts things down. They shut down the government. They 
shut down unemployment insurance for people who are desperately trying 
to find work. They have tried repeatedly to shut down the Affordable 
Care Act. As a matter of fact, 47 times--47 times--they have attempted 
to shut down the Affordable Care Act. Heck, they are even shutting down 
bridges in New Jersey. The fact is, it seems like their agenda is just 
about shutting down things that actually work for American families. 
Republicans can't just slam the door shut again and again on the 
American people. It is time to end this shutdown mentality once and for 
all here in Washington and get back to working on issues of concern to 
the entire Nation.
  Mr. PITTS. Mr. Speaker, may I inquire of the time remaining.
  The SPEAKER pro tempore. The gentleman from Pennsylvania has 13 
minutes remaining, and the gentleman from New Jersey has 6\1/2\ minutes 
remaining.
  Mr. PITTS. Mr. Speaker, I yield 2 minutes to the gentlewoman from 
Tennessee (Mrs. Blackburn), the vice chair of the Energy and Commerce 
Committee.
  Mrs. BLACKBURN. Mr. Speaker, when is this administration finally 
going to start paying attention to the warning signs?
  When career staff at OMB warned the administration that Solyndra 
wasn't ready for prime time, they moved forward anyway and lost 
hardworking taxpayers a half billion dollars.
  When private consultants told the White House and HHS officials last 
spring that there were problems with healthcare.gov, they moved forward 
anyway.
  When CMS sent a memo just 4 days before healthcare.gov went live and 
warned about ``inherent security risks''--their terminology--the 
administration moved forward anyway. So their failed policy of forward 
is costing us money and is getting people into trouble. This is what we 
are hearing from an Experian report. America's personal information is 
at high risk on healthcare.gov. There is a great opportunity for a data 
breach.
  Mr. Speaker, this is something we can stop. The bill today does that. 
It is simple. It addresses the problem. What it does very simply--and I 
commend the gentleman from Pennsylvania for the Health Exchange 
Security and Transparency Act--it accomplishes what this administration 
has failed to make a standard practice. It will force HHS to inform 
anyone if their information has been breached, and they have to do this 
within 2 business days. They can't hide it. They can't spin it. They 
have got to tell you if your information has been breached.
  We do this because if the administration is going to require us--and, 
yes, to my colleagues, it is a requirement--to use healthcare.gov, at 
least they can notify you when your information has been breached.
  Mr. PALLONE. Mr. Speaker, I yield 3 minutes to the gentlewoman from 
Texas (Ms. Sheila Jackson Lee).
  Ms. JACKSON LEE. I thank the distinguished gentleman, and I thank the 
manager of this legislation, and I thank the good intentions of our 
colleagues.
  I want to pause for a moment, Mr. Pallone, and just simply say that 
although these are important issues, as a member of the House Judiciary 
Committee, I helped draft the PATRIOT Act and business record 215, and 
we are now looking to constrain the collection of mega-data, and I 
accept the importance of privacy for the American people. But I pause 
for just a moment to ask my colleagues, we have enough time today to 
actually pass the extension of the unemployment benefits. There are 1.3 
million people, 12,000 in my own community, who would like us to stay 
here and make sure that we get that done. I hope that my friends on the 
other side of the aisle will accept the challenge of Republicans 
putting an extension of the unemployment benefits on the floor to help 
unemployed Americans.
  But this is an important issue as well, and I do want to say that our 
friends have not documented any breach on personal and private data of 
those individuals that have accessed the Affordable Care Act, which are 
9 million plus, and growing. We have had 46 votes to repeal it. Now we 
come one by one with legislation that has not gone through regular 
order. It has not gone through the committee process. It has very good 
intentions; but, in actuality, it may be overly burdensome because, Mr. 
Speaker, there is no bar. There is no limit for HHS to provide notice 
for any possible breach within seconds or minutes or hours after the 
incident may have occurred.
  Frankly, this legislation doesn't go far enough. Let me give you a 
few facts. The Affordable Care Act implementation of healthcare.gov is 
under the authority of HHS. HHS assigned the task for developing 
healthcare.gov to the agency's Center for Medicare and Medicaid 
Services. Under the Federal Privacy Act, all Federal agencies must 
draft regulations to protect personally identifiable information under 
their control.
  The Federal Privacy Act was established by an act of Congress and 
concurrence of the executive branch to balance the government's need to 
maintain personal information on Americans with the right of 
individuals to be protected against unwarranted invasions of their 
privacy.
  The Privacy Act came as a direct result of the work of the Church 
Committee following revelations that the government has routinely used 
records on citizens for political purposes to engage in surveillance or 
retaliatory activity. There were a series of laws

[[Page H145]]

passed by Congress to protect the privacy of Americans.
  Computer records management was of such grave concern to Members of 
Congress following investigations into disclosures that then-President 
Nixon had used his high office to seek out by means to exact 
retribution against political enemies by causing harm to careers, 
reputations as well as financial injury through IRS audits.
  The SPEAKER pro tempore. The time of the gentlewoman has expired.
  Mr. PALLONE. I yield an additional 1 minute to the gentlewoman.
  Ms. JACKSON LEE. So we have had an intense interest since the report 
``Records, Computers, and the Rights of Citizens'' was produced in 
1973. HHS is chiefly responsible for why the United States became the 
first Nation in the world to draft a Federal privacy law. They know 
what to do. They developed the Code of Fair Information practices which 
have five principles, one of which says there must be no personal data 
recordkeeping systems whose very existence is secret, that is, to not 
use the data of people in the wrong way.
  There is the CMS Policy for Privacy Act, and I offer this for the 
Record.
  The baseline of my point is that HHS was at the core of developing 
privacy. There have been no known breaches. There is no bar for CMS and 
HHS to tell the American public or the individual immediately.
  This bill will add burdensome requirements and may--it may--distract 
or take away from legal and lawful law enforcement investigations. I 
ask that we look at this together in a bipartisan manner. I believe in 
privacy. I hope we can work together, Mr. Pallone, and make this what 
it should be; but I think the American people are protected.
  Mr. Speaker, I rise to speak on H.R. 3811, the Health Exchange 
Security and Transparency Act of 2014.
  I would like to commend the author of the bill for the focus on 
privacy.
  Privacy protection is a policy area that has strong bi-partisan 
agreement.
  However, because H.R. 3811 did not go through regular order there was 
no opportunity for the Committees of jurisdiction to provide valuable 
input into its drafting.
  I would like to offer a few facts that may make it clear that this 
bill, although well intentioned is not necessary in its current form.
  The Affordable Care Act implementation of healthcare.gov is under the 
authority of the Department of Health and Human Services (HHS).
  HHS assigned the task for developing healthcare.gov to the agency's 
Centers for Medicare & Medicaid Services (CMS).
  Under the Federal Privacy Act all federal agencies must draft 
regulations to protect personally identifiable information under their 
control.
  The Federal Privacy Act was established by an act of Congress and 
concurrence of the Executive Branch to balance the Government's need to 
maintain personal information on Americans with the right of 
individuals to be protected against unwarranted invasions of their 
privacy.
  The Privacy Act came as a direct result of the work of the Church 
Committee following revelations that the government had routinely used 
records on citizens for political purposes to engage in surveillance or 
retaliatory activity a series of laws were passed by Congress to 
protect the privacy of Americans.
  Computer records management was of such grave concern to members of 
Congress following investigations into disclosures that then President 
Nixon had used his high office to seek out means to exact retribution 
against political enemies by causing harm to careers, reputations as 
well as financial injury through IRS audits.
  In 1973, a report ``Records, Computers, and the Rights of Citizens'' 
was produced by the former Federal Department of Health Education and 
Welfare (HEW), which today exists as two agencies one of which is the 
Department of Health and Human Services (HHS) established the first 
federal agency privacy policies for information held on Americans.
  HHS is chiefly responsible for why the United States became the first 
nation in the world to draft a federal privacy law.
  HHS developed the Code of Fair Information practices which later 
became the basis for the Federal Privacy Act.
  The Code of Fair Information Practices has five principles:
  There must be no personal data record-keeping systems whose very 
existence is secret.
  There must be a way for a person to find out what information about 
the person is in a record and how it is used.
  There must be a way for a person to prevent information about the 
person that was obtained for one purpose from being used or made 
available for other purposes without the person's consent.
  There must be a way for a person to correct or amend a record of 
identifiable information about the person.
  Any organization creating, maintaining, using, or disseminating 
records of identifiable personal data must assure the reliability of 
the data for their intended use and must take precautions to prevent 
misuses of the data.
  The Federal Privacy Act protects all personal information managed by 
Federal agencies.
  We know that not all agencies do a good job at protecting the 
personal information of citizens so today's focus on privacy is 
relevant and important.
  However, our focus should be much broader and better informed 
regarding the work of each agency in this area.
  Committee hearings would have been beneficial in informing the 
drafters of H.R. 3811, prior to its introduction on the Floor of the 
House for a vote.
  For example, authors of the bill may have taken a different approach 
if it was acknowledged that the CMS has several policy documents 
specific to the topic of protecting personal identifiable information 
of medical records data:
  CMS Policy for Privacy Act Implementation & Breach Notification (7/
23/07)
  Risk Management Handbook Volume III Standard 7.1 (12/6/12)
  Incident Handling and Breach Notification
  CMS Privacy Policy is written to meet obligations established by the 
Federal Privacy Act of 1974 (5 U.S.C., 552a), the Computer Matching and 
Privacy Protection Act of 1988 (Public Law 100-503) and the Department 
of Health and Human Services Privacy Act Regulations (45 C.F.R. Part 
5b).
  I want to assure my colleagues that under the Federal Privacy Act all 
Federal agencies must ``develop an effective response to [breaches] 
that requires disclosure of information regarding the breach to those 
individuals affected by it, as well as to persons and entities in a 
position to cooperate, either by assisting in notification to affected 
individuals or playing a role in preventing or minimizing harms from 
the breach.''
  All agencies, which include CMS, must report all incidents involving 
personally identifiable information to US-Computer Readiness Team or 
(US-CERT).
  The US-CERT reporting requirement does not distinguish between 
potential and confirmed breaches--all must be reported within 1 hour of 
discovery/detection.
  The CMS policy on breach notification has 5 criteria to determine if 
a breach has occurred:
  Nature of the Data Elements Breached
  Number of Individuals Affected
  Likelihood the Information is Accessible and Usable
  Likelihood the Breach May Lead to Harm
  Ability of the Agency to Mitigate the Risk of Harm
  CMS is directed to provide notification without unreasonable delay 
following the discovery of a breach, consistent with the needs of law 
enforcement and any measures necessary for CMS to determine the scope 
of the breach and, if necessary, to restore the integrity of the 
computerized system.
  The consideration of Law-enforcement in government agency breaches is 
very important because this type of crime can take place in seconds or 
it may occur over hours, days, weeks or months.
  Law-enforcement in investigation of data breaches attempts to 
identify the culprit(s) and others who may be involved.
  To avoid impeding the efforts of law-enforcement or national security 
H.R. 3811, the Health Exchange Security and Transparency Act of 2014 
should have included a law-enforcement exception.
  Responsibility for information on individuals whose personally 
identifiable information has been breached is the CMS Administrator the 
highest official of the agency.
  However, if the data breach is under 50, the notice may also be 
issued by the CMS Chief Information Officer or Senior Official for 
Privacy.
  CMS Breach Notification to individuals must be in writing that should 
be ``concise, conspicuous, and in plain language'' and include the 
following:
  Brief description of what happened, including date(s) and its 
discovery;
  Description of the types of information involved in the breach;
  Whether the information was encrypted or protected by other means 
when determined the information may be useful or compromise the 
security of the system;
  What steps individuals should take to protect themselves from 
potential harm;
  What the agency is doing; and
  Who affected individuals should contact
  There is no evidence that healthcare.gov had a breach of personal 
information.

[[Page H146]]

  If such a breach had occurred it would not be secret and members of 
this body would have been briefed.
  First, the most important rule for cyber security is following the 
example of the professionals who work in this fast paced area: truth 
comes before beauty. The truth is that there is no computer system that 
is 100 percent secure from hostile cyber attacks, natural disasters, 
structural failures or human errors.
  Second, the Internet is a rough neighborhood--the best we can do is 
to design the best systems possible provide the resources necessary to 
follow through on good security and privacy designs and ignore the 
politics of the moment. The most dangerous threats to cyber security do 
not care about anyone's political party they may care very much about 
your nation of origin.
  Third, cyber security is not about the 14 year old with a laptop, but 
the botnet attack from a coordinate effort that brings to the 
discussion significant threats to networks. There is no evidence that 
nothing occurred that would suggest that the website experienced 
anything of this nature.
  Congress should use regular order to consider means and methods of 
securing all federal data that is categorized as personally 
identifiable information.
  Attempts to misinform or frighten Americans regarding the 
healthcare.gov or the Patient Protection and Affordable Care Act 
implementation mechanisms are unwarranted.
  CMS has a detailed and well managed program for ensuring that 
personally identifiable information is secure and when questions arise 
they have a top level ``Incident Handling'' protocol that is through in 
investigating issues and uncovering the facts regarding suspected 
breaches.
  CMS relies upon US-CERT, which is part of DHS' National Cybersecurity 
and Communications Integration Center (NCCIC) to address breaches of 
data it manages.
  The Department of Homeland Security's United States Computer 
Emergency Readiness Team (US-CERT) leads efforts to improve the 
nation's cybersecurity posture, coordinate cyber information sharing, 
and proactively manage cyber risks to the Nation while protecting the 
constitutional rights of Americans.
  CMS informs US-CERT within an hour of a suspected breach incident.
  However, a report does not mean that an incident occurred an 
investigation must proceed to determine if the report is valid.
  It is important note that premature breach notices being sent to 
consumers regarding their personally identifiable information could 
have unintended and adverse outcomes for several reasons:
  Notice fatigue--too many notices and people stop paying attention;
  Increased cost of administering a program due to additional 
communications that inform people that the initial breach notice was a 
false alarm;
  Giving notice to cyber criminals or terrorists that they have been 
discovered before law enforcement or national security can assess how 
the extent of the threat, the target or objective of the attack and 
trace the source of the threat with the goal of identifying the 
culprits; and
  Correcting the problem that allowed the breach to occur
  HHS should only collect the personally identifiable information that 
is necessary, used it for the purpose of the collection and promptly 
discarded that data so no database or system of records is created.
  I commend my colleagues for the focus on Privacy and hope that we can 
work together to improve the protection of personal information on 
Americans throughout the Federal Government.
  I strongly recommend that my colleagues vote to send this bill back 
for committee consideration so that its goal of improving privacy 
protection can be better matched to the reality of what CMS is 
currently doing in the area of breach notification, which conforms to 
what Americans need and law-enforcement as well as national security 
must have to protect federal agency computer networks.

                             1 Introduction

       CMS must be able to respond to computer security-related 
     and/or privacy-related incidents in a manner that protects 
     its own information and helps to protect the information of 
     others that might be affected by the incident.
       This Risk Management Handbook Volume III, Standard 7.1, 
     Incident Handling and Breach Notification standard, along 
     with the companion procedures of the RMH Volume II, Procedure 
     7.2, Incident Handling, supersedes the CMS Information 
     Security (IS) Incident Handling and Breach Analysis/
     Notification Procedure dated December 3, 2010.

                             1.1 Background


                          1.1.1 SECURITY EVENT

       A Security Event is an observable occurrence in a network 
     or system (e.g., known or suspected penetrations of 
     information Technology (IT) resources, probes, infections, 
     log reviews), or any occurrence that potentially could 
     threaten CMS data confidentiality, integrity, or 
     availability.


                         1.1.2 REPORTABLE EVENT

       A Reportable Event is any activity or occurrence that 
     involves:
       A matter that a reasonable person would consider a 
     violation of criminal, civil, or administrative laws 
     applicable to any Medicare contract or federal health care 
     program.
       Integrity violations, including any known, probable, or 
     suspected violation of any Medicare contract term or 
     provision.
       A matter considered to have an ``adverse'' impact on the IT 
     system/infrastructure or CMS data confidentiality, integrity, 
     or availability. Examples of specific events that should be 
     reported include (but are not limited to):
       Unauthorized access to or use of sensitive data for illegal 
     purposes.
       Unauthorized altering of data, programs, or hardware.
       Loss of mission-essential data (i.e., patient, financial, 
     benefits, legal, etc.).
       Environmental damage/disaster (greater than $10,000) 
     causing loss of IT services or data, or which may be less 
     than $10,000 in damage yet affect CMS' ability to continue 
     any day-to-day functions and operations.
       Infection of sensitive systems, firmware, or software by 
     malicious code (i.e., Viruses, Worms and Trojan Horses, 
     etc.).
       Perpetrated theft, fraud, vandalism, and other criminal 
     computer activity that did, or may, affect the organization's 
     capabilities to continue day-to-day functions and operations.
       Telecommunications/network security violations, i.e., 
     networks (including local area networks [LANs], metropolitan 
     area networks [MANs], and wide area networks [WANs]) that 
     experience service interruptions that cause an impact to an 
     indefinite number of end users.
       Unauthorized access to data when in transmission over 
     communications media.
       Loss of system availability affecting the ability of users 
     to perform the functions required to carry out day-to-day 
     responsibilities.
       Root-level attacks on networking infrastructure, critical 
     systems, or large, multi-purpose, or dedicated servers.
       Compromise (or disclosure of account access information) of 
     privileged accounts on computer systems.
       Compromise (or disclosure of account access information) of 
     individual user accounts or desktop (single-user) systems.
       Denial-of-service attacks on networking infrastructure and 
     systems.
       Attacks launched on others from within organizational 
     boundaries or systems.
       Scans of internal organizational systems originating from 
     the Internet or from within the organizational boundaries.
       Any criminal act that may have been committed using 
     organizational systems or resources.
       Disclosure of protected data, including paper disclosure, 
     email release, or inadvertent posting of data on a web site.
       Suspected information-technology policy violation.
       A Reportable Event may be the result of an isolated event 
     or a series of occurrences. Reportable Events under these 
     procedures include events that occur at CMS federal sites, 
     contractor/subcontractor sites/systems, consultants, vendors 
     or agents. If the Reportable Event results in an overpayment 
     relating to either Trust Fund payments or administrative 
     costs, the report must describe the overpayment with as much 
     specificity as possible, as of the time of the due date for 
     the submission of the report.
       Security events that may consist of an observable 
     occurrence in a network or system (e.g., detected probes, 
     infections prevented, log reviews, etc.), that do not 
     threaten system integrity, are not considered Reportable 
     Events unless they may be reasonably associated with other 
     incidents, Reportable Events, or breaches. CMS categorizes 
     these events in a monthly report to the Department of Health 
     and Human Services (HHS) (hereafter referred to as the 
     ``Department'' or ``HHS'') Cybersecurity Program as follows:
       Malicious Code Prevented: Viruses were prevented and did 
     not cause any harm to any system.
       Probes and Reconnaissance Scans Detected: Probes and scans 
     were detected but did not pose a serious threat to a CMS 
     system.
       Inappropriate Usage: Misuse of computing resources by an 
     otherwise authorized individual.
       Other: Cannot be categorized under any of the above and do 
     not threaten system integrity.
       There are many events that may be flagged as inappropriate 
     use of resources, but reflect situations that do not fall 
     under the definitions associated with incidents, Reportable 
     Events, or breaches. In such cases, reporting should be made 
     through applicable contractual resources, or through 
     appropriate Federal Fraud, Waste, and Abuse reporting 
     channels.


                       1.1.3 PRIVACY INFORMATION

       Privacy is the right of an individual to control their own 
     personal information, and not have it disclosed or used by 
     others without permission. At CMS, we are charged with 
     protecting other people's private information--that of every 
     citizen (or legal resident) beneficiary utilizing benefits 
     the vast Medicare/Medicaid program, as well as many 
     subsidiary programs.
       Confidentiality is the obligation of another party to 
     respect privacy by protecting personal information they 
     receive, and preventing it from being used or disclosed 
     without the subject's knowledge and permission.

[[Page H147]]

     Again, at CMS we are charged with protecting the 
     confidentiality of other people's citizen-beneficiary 
     information. A breach of that confidentiality is not simply a 
     failure of a ``technical control'', it is a basic failure of 
     CMS to meet its obligation to protect the individual citizen. 
     Moreover, unlike the banking industry where financial 
     compensation is a readily-available remedy to a breach, 
     private medical information cannot be simply replaced with 
     something of ``similar value'', or by simply closing an 
     account, and opening a new (better protected) one. Once a 
     privacy breach occurs, the ramifications can be far-reaching 
     and long lasting--with no readily available ``patch'' to undo 
     the damage (we cannot simply replace one violated health 
     record with a brand new one.)
       Security is the means used to protect the confidentiality 
     of personal information through physical, technical, and 
     administrative safeguards.
       Privacy is the ``business objective'' of security. The core 
     of the relationship between information security and 
     information privacy lies in the fact that security, or lack 
     of it, is the determinant of the level of privacy that a 
     system or infrastructure can assure. If there is a breach of 
     computer security, it has a corresponding negative effect on 
     the confidentiality, integrity, and availability of the 
     information therein. Inadequate security leads directly to 
     loss of privacy. Therefore, if privacy is the ``business 
     objective'', then security is the ``functional requirements'' 
     necessary for an IT system to meet those ``business 
     objectives''.


           1.1.3.1 PERSONALLY IDENTIFIABLE INFORMATION (PII)

       Personally Identifiable Information (PII) is information 
     which can be used to distinguish or trace an individual's 
     identity, such as their name, social security number, 
     biometric records, etc. alone, or when combined with other 
     personal or identifying information which is linked or 
     linkable to a specific individual, such as date and place of 
     birth, mother's maiden name, etc. PII also includes 
     individually identifiable health information as defined by 
     the Health Insurance Portability and Accountability Act 
     (HIPAA) of 1996, Privacy Rule (45 CFR Section 164.501. PII is 
     also often referred to as personally identifiable data or 
     individually identifiable information.


              1.1.3.2. Protected Health Information (PHI)

       Protected Health Information (PHI) is individually 
     identifiable health information held or transmitted by a 
     covered entity or its business associate, in any form or 
     media, whether electronic, paper, or oral.
       Individually Identifiable Health Information is a subset of 
     health information, including demographic data collected 
     concerning an individual that:
       Is created or received by a healthcare provider, health 
     plan, employer, or healthcare clearinghouse.
       Relates to the past, present or future physical or mental 
     health or condition of an individual; the provision of 
     healthcare to an individual; or the past, present, or future 
     payment for the provision of healthcare to an individual, and 
     meets either of the following:
       Identifies the individual.
       There is a reasonable basis to believe the information can 
     be used to identify the individual.
       The HIPAA Privacy Rule excludes from the definition of PHI 
     individually identifiable health information that is 
     maintained in education records covered by the Family 
     Educational Right and Privacy Act (as amended, 20 U.S.C. 
     1232g) and records described at 20 U.S.C. 1232g(a)(4)(B)(iv), 
     and employment records containing individually identifiable 
     health information that are held by a covered entity in its 
     role as an employer.
       The HIPAA Privacy Rule covers PHI in any medium (including 
     paper) while the HIPAA Security Rule covers PHI in electronic 
     form (ePHI) only.


                1.1.3.3 DE-IDENTIFIED HEALTH INFORMATION

       With those definitions in place, what information (or data) 
     elements comprise PHI such that, if they were removed, the 
     above definition of individually identifiable health 
     information would not apply? The answer is in the HIPAA de-
     identification use standard and its two implementation 
     specifications of the HIPAA Privacy Rule.
       There are no restrictions on the use or disclosure of de-
     identified health information. De-identified health 
     information neither identifies nor provides a reasonable 
     basis to identify an individual. There are two specifications 
     for de-identifying individually identifiable health 
     information; either: 1) a formal determination by a qualified 
     statistician; or 2) the removal of specified identifiers of 
     the individual and of the individual's relatives, household 
     members, and employers is required, and is adequate only if 
     the covered entity has no actual knowledge that the remaining 
     information could be used to identify the individual.
       The following identifiers of the individual or of 
     relatives, employers, or household members of the individual 
     must be removed to achieve the safe harbor method of de-
     identification:
       1. Names
       2. All geographic subdivisions smaller than a State, 
     including street address, city, county, precinct, zip code, 
     and their equivalent geocodes, except for the initial three 
     digits of a zip code if, according to the current publicly 
     available data from the Bureau of Census:
       a. The geographic units formed by combining all zip codes 
     with the same three initial digits contains more than 20,000 
     people.
       b. The initial three digits of a zip code for all such 
     geographic units containing 20,000 or fewer people is changed 
     to 000.
       3. All elements of dates (except year) for dates directly 
     related to the individual, including birth date, admission 
     date, discharge date, date of death; and all ages over 89 and 
     all elements of dates (including year) indicative of such 
     age, except that such ages and elements may be aggregated 
     into a single category of age 90 or older.
       4. Telephone numbers
       5. Fax numbers
       6. Electronic mail addresses
       7. Social security numbers
       8. Medical record numbers
       9. Health plan beneficiary numbers
       10. Account numbers
       11. Certificate/license numbers
       12. Vehicle identifiers and serial numbers, including 
     license plate numbers
       13. Device identifiers and serial numbers
       14. Web Universal Resource Locators (URLs)
       15. Internet Protocol (IP) address numbers
       16. Biometric identifiers, including finger and voiceprints
       17. Full face photographic images and any comparable 
     images.
       18. Any other unique identifying number, characteristic, or 
     code, except as permitted for re-identification purposes 
     provided certain conditions are met
       In addition to the removal of the above-stated identifiers, 
     the covered entity may not have actual knowledge that the 
     remaining information could be used alone or in combination 
     with any other information to identify an individual who is 
     subject of the information.

  Mr. PITTS. Mr. Speaker, at this time I am pleased to yield 1 minute 
to the gentleman from Louisiana (Mr. Scalise), the distinguished 
chairman of the Republican Study Committee and a member of the Energy 
and Commerce Committee.
  Mr. SCALISE. I thank the gentleman from Pennsylvania for yielding and 
for bringing the Health Exchange Security and Transparency Act. Mr. 
Speaker, all we are saying here is if American families' personal 
information is stolen through this Web site, through the exchange Web 
site, they ought to be notified by the administration that their data 
was breached.
  And, of course, you have the White House actually coming out and 
saying they will veto this bill. What does the Obama administration 
have against protecting the privacy of American families' personal 
information? You have got an administration official who testified for 
our committee, the chief information security officer who actually said 
there is also no confidence that personal identifiable information will 
be protected.
  Well, if they can't ensure the protection--and by the way, the 
individual mandate says this is not an option for American families, 
they have to go through this exchange to get insurance that is approved 
by the government. So if the government is going to mandate it, and we 
don't want the government to mandate this, but if they are going to 
mandate it, they ought to be able to ensure that the data is protected. 
And if it is breached, they ought to notify them that this has 
happened. And yet they issue a veto threat against this. We need to 
pass this legislation and put this transparency in law. Pass this bill.
  Mr. PALLONE. Mr. Speaker, I yield myself such time as I may consume.
  Mr. Speaker, once again I hear my colleagues on the other side 
repeating the same things that are not accurate. You do not have to go 
on healthcare.gov to sign up for health insurance. Mr. Waxman said you 
can go to a private insurance broker or call an 800 number. You can go 
through various nonprofits. They keep repeating the same thing, and we 
keep having to say that there have been no breaches.
  The gentleman mentioned the administration. The administration 
statement, which I read before and I will only summarize part of it 
now, it says that the Federal Government has already put in place an 
effective and efficient system for securing personally identifiable 
information in the health insurance marketplace. The administration 
opposes the bill because it would create unrealistic and costly 
paperwork requirements that do not improve the safety or security of 
personally identifiable information in the health insurance 
marketplace. The purpose of the bill I understand; but it is simply not 
necessary, and it is just making people fearful of signing up.
  I reserve the balance of my time.
  Mr. PITTS. Mr. Speaker, I yield 1 minute to the gentleman from 
Colorado (Mr. Gardner).

[[Page H148]]

                              {time}  1015

  Mr. GARDNER. I thank the chairman of the committee for his good work.
  Mr. Speaker, I would remind our colleagues that when you call the 800 
number to sign up for the exchange policies, as was heard before our 
committee in testimony, the people who get that number on that phone 
call then turn around and use the healthcare.gov site--the information, 
the Web site--to input that information. So you are forced to go 
through this site.
  A couple of weeks ago I received this letter:

       We are writing to you because an electronic file containing 
     your personal information cannot be accounted for. The file 
     included two or more of the following: your name, home 
     mailing address, and Social Security number.

  The letter went on to say:

       We wanted to alert you to the potential that someone not 
     authorized to access the records could have seen the 
     information.

  This letter came from the State of Colorado, this letter from the 
State of Colorado because they couldn't hold on to State employees' 
private personal identification information.
  All we are asking for is that we protect the privacy, the security of 
the American people. To oppose this bill, to issue a veto threat, if 
the site is secure, they will never receive the notice; if it is not, 
we will have acted to protect the American people.

                                            State of Colorado,

                                                         Yuma, CO.
       Mr. Gardner: We are writing to you because an electronic 
     file containing your personal information cannot be accounted 
     for. The file included two or more of the following: your 
     name, home/mailing address and Social Security number.
       There is no indication that your information has been 
     misused or stolen, and we are continuing efforts to account 
     for the file. Still, we wanted to alert you to the potential 
     that someone not authorized to access the records could have 
     seen the information, although that is unlikely.
       As a precaution, we recommend that you visit the Colorado 
     Attorney General's Office's website at http://www.colorado
     attorneygeneral.gov/initiatives/identity
     _theft, which contains information on how to protect yourself 
     from the possibility of identity theft. Once again, we do not 
     have any indication that your information has been misused or 
     stolen and believe such misuse is unlikely.
       We deeply regret that this incident occurred. We want to 
     assure you that we are reviewing and revising our procedures 
     and practices to minimize the risk of recurrence. Should you 
     need any further information, please contact the Office of 
     Information Security at [email protected]
           Sincerely,
                                                Jonathan C. Trull,
                               Chief Information Security Officer.

  Mr. PALLONE. Mr. Speaker, I reserve the balance of my time.
  Mr. PITTS. Mr. Speaker, I am pleased to yield 1 minute to the 
gentleman from Ohio (Mr. Jordan).
  Mr. JORDAN. Mr. Speaker, the independent contractor said they were 
unable to adequately test the confidentiality and integrity of the 
system. They said no complete end-to-end testing was done. The chief 
information security officer recommended not launching it, her boss 
refused to sign the authority to operate, and they launched it anyway. 
They knew, the administration knew this Web site wasn't ready; they 
launched it anyway. The whole country now knows it wasn't ready. They 
launched it anyway, put millions of people's personal information at 
risk, and they did it for political reasons.
  Now all we are asking--all we are asking--is when there is a breach, 
when there is a problem, at least tell the American citizens. You 
already launched a Web site for political reasons that you knew wasn't 
ready, put millions of Americans' personal information at risk. You 
already did that. Now we are saying, if there is a problem, at least 
tell them. That is all this bill does.
  And what does the administration say? We are going to veto that bill 
if it happens.
  You have got to be kidding me. You have got to be kidding me. That is 
all this is about.
  So I want to commend Mr. Pitts, the committee, and those individuals 
who put work into this. It is a good piece of legislation, and I would 
urge a ``yes'' vote.
  Mr. PALLONE. Mr. Speaker, I continue to reserve the balance of my 
time.
  Mr. PITTS. Mr. Speaker, at this time, I am pleased to yield 1 minute 
to the gentlelady from Kansas (Ms. Jenkins), the distinguished 
secretary of our caucus.
  Ms. JENKINS. Mr. Speaker, I thank the gentleman for yielding.
  Health care is a personal issue, and many Kansans are worried about 
submitting their sensitive and private information into a system that 
can't protect them against the devastating consequences of security 
breaches and fraud.
  Experts have repeatedly raised red flags about the security of the 
information people are submitting to the ObamaCare exchanges, and a 
former Social Security Administrator even described the Web site as a 
hacker's dream. Important questions about the Web site security remain 
unanswered, and Americans, especially those who have lost their plans 
due to the President's health care law, deserve some piece of mind that 
their information is safe from cyber thieves.
  I urge my colleagues to support this bill that requires HHS to notify 
Americans within 2 business days if their personal information has been 
compromised. Much more is required of private sector companies whose 
products are not mandated by law. The least the administration can do 
is notify Americans if their information has been stolen or unlawfully 
accessed through the ObamaCare exchange.
  Mr. PALLONE. Mr. Speaker, I continue to reserve the balance of my 
time.
  Mr. PITTS. Mr. Speaker, at this time, I am pleased to yield 1 minute 
to the gentlelady from Indiana (Mrs. Walorski).
  Mrs. WALORSKI. Mr. Speaker, I am pleased to cosponsor this 
legislation to enact much-needed consumer protections for 
healthcare.gov.
  It is unfair that the Department of HHS launched healthcare.gov 
without performing a complete security control assessment. Installing 
the necessary safeguards for the exchanges should have been the 
administration's top priority.
  Now Congress has an opportunity to pass a law that simply requires 
HHS to notify consumers within 2 business days if their personal 
information is unlawfully accessed or stolen. In a digital world, 
Americans deserve to know their information is compromised so they can 
immediately take action to protect themselves.
  Last summer, I traveled my entire district in Indiana to notify and 
to make aware cybersecurity issues and steps to avoid identity theft. 
Hoosiers in Indiana, especially seniors, shared with me frightening 
stories about fraud and scams. They need to know that healthcare.gov 
will not contribute to the cybersecurity dilemma. This is the kind of 
representation they deserve in Congress.
  I urge my colleagues to support this commonsense law to safeguard our 
personal information.
  Mr. PALLONE. Mr. Speaker, I continue to reserve the balance of my 
time.
  Mr. PITTS. Mr. Speaker, we are prepared to close, and I reserve the 
balance of my time.
  Mr. PALLONE. Mr. Speaker, I just want to say, again, I am not saying 
that I am opposed to some kind of security notification. In fact, it 
already exists and there is a protocol in place with the Department of 
Health and Human Services. The point is that this Republican bill is 
simply not necessary. That security already exists.
  The fact of the matter is there have not been any security breaches. 
Once again, we are simply seeing the Republicans get up and try to 
scare people so that they don't go and use healthcare.gov, the Web 
site.
  What we would really like to see, Mr. Speaker, is the day when, on 
both sides of the aisle here, we can simply get up and talk about 
legislation that continues to provide outreach and encourage people to 
sign up for the Web site and get the health insurance that they need. I 
still honestly believe that most Republicans and Democrats collectively 
would like to see most Americans covered with health insurance. That 
was the purpose of the Affordable Care Act.
  I think my one optimistic note today could be at least we are not 
seeing another bill on the floor that would seek to repeal the 
Affordable Care Act. Hopefully, that is some recognition on the 
Republican side that the Affordable

[[Page H149]]

Care Act is actually accomplishing its goal of trying to cover most 
Americans, if not all Americans.
  With that, Mr. Speaker, I urge my colleagues to oppose this 
unnecessary bill, and I yield back the balance of my time.

  Mr. PITTS. Mr. Speaker, some have argued that requiring HHS to report 
a data breach that is known to have resulted in a loss of personal 
identifiable information within 2 days is too burdensome for the 
Department. In fact, the administration opposes this legislation for 
``paperwork requirements.''
  I am frankly shocked that any Member of this body would put workload 
concerns of HHS ahead of their constituents' right to know if their 
data has been breached when many of our constituents are essentially 
being forced to shop through these exchanges.
  In addition, CMS has stated that States and other nonexchange 
entities are required to report data breaches to the Department within 
1 hour to HHS. If HHS believes 1 hour is enough time to report, then 
they should certainly be able to tell our constituents within 2 days 
after knowing an individual's information was breached through an 
exchange.
  Our constituents deserve to know if their personal information has 
been breached. That is all the underlying bill requires. Our 
constituents have a right to know. They should have peace of mind, and 
we should be protecting them, the victims, not the bureaucracy.
  I urge my colleagues to support this commonsense, important bill, and 
I yield back the balance of my time.
  Mr. DeFAZIO. Mr. Speaker, I will vote for H.R. 3811 with significant 
reservations. There is no question that Americans must be quickly 
notified if their personal information on Healthcare.gov or a state 
exchange website is compromised. Current law accomplishes this without 
a hard and fast deadline. H.R. 3811 aims to add a hard deadline for 
notification, and that is why I voted for it. Unfortunately the bill is 
poorly drafted. H.R. 3811 fails to provide any delay for public 
disclosure if immediate disclosure would derail a federal 
investigation. Americans have a right to know if their personal 
information has been stolen or misused, but it is also critical that 
our federal law enforcement agencies be able to hunt down and prosecute 
those responsible for a data breach. Republicans need to work with the 
Administration and Democrats in Congress to come up with a bipartisan 
solution that makes sure that enforcement can do their job and 
establishes prompt but reasonable disclosure requirements to protect 
consumers.
  Mr. BLUMENAUER. Mr. Speaker, we are in a new year, and a new session. 
The Affordable Care Act is the law of the land, and we should find a 
way to move past this empty, meaningless bickering.
  I will vote against H.R. 3811 because this bill is a diversion tactic 
by the Republicans, designed to scare Americans away from obtaining 
affordable health coverage and further undermines confidence in 
Government.
  This bill serves no useful purpose. The mere fact that this bill is 
only directed at the Department of Health and Human Services (HHS), and 
no other agency that handles personally identifiable information, 
demonstrates that Republicans are only attacking the Affordable Care 
Act for political purposes; not to make it work better to give 
Americans the health care they are entitled to under the law.
  Not only is this bill a waste of time, but it detracts from the real 
work we need to do to strengthen our health care system. If my 
colleagues were serious about improving the Affordable Care Act, we'd 
welcome that discussion, but to date the only interest they have is 
frightening Americans away from a law that would provide the 
affordable, accessible health coverage to those who need it most.
  Just this week, the Centers for Medicare and Medicaid Services (CMS) 
announced that the increase in overall health care costs for the last 
four years is the lowest we've ever recorded in part as a result of the 
reforms taking place. We should be focused how to build on and take 
advantage of that trend, for example repealing the flawed and 
burdensome Medicare sustainable growth rate (SGR) and avoid the ordeal 
we subject the health care community to every year.
  Please let's stop this senseless exercise in futility and work 
together for a more productive 2014 and effectively provide the 
healthcare Americans are entitled to under the Law.
  Mr. DINGELL. Mr. Speaker, I rise in opposition to H.R. 3811, the 
Health Exchange Security and Transparency Act.
  There is a very real and pressing need for Congress to enact data 
security and breach notification requirements. But H.R. 3811 isn't the 
way to do it. At only a paragraph long, the bill is vague, far too 
limited in scope and, quite frankly, absolutely unworkable. It fails to 
define what constitutes ``personally identifiable information,'' a key 
component to any successful data security and breach-bill. It applies 
only to the Affordable Care Act and has no bearing on the sorts of 
massive breaches like the one Target just reported. And its 48-hour 
notification requirement would impede accurate reporting to consumers 
about whose and what information has been breached.
  Mr. Speaker, H.R. 3811 isn't meant to solve a problem. It's another 
attempt by my Republican friends to throw egg on the Administration's 
face. Our consideration of this bill is also an affront to regular 
order because H.R. 3811 hasn't even been considered by the Committee on 
Energy and Commerce. That said, data security and breach notification 
legislation is absolutely necessary. If my friends on the other side of 
the aisle are truly willing to work on comprehensive bipartisan 
legislation, they'll find a willing partner in me. But they have to 
stop with cynical, politically motivated half-measures and genuinely 
commit to protecting the interests of consumers.
  Vote down this bill.
  Mr. SMITH of Texas. Mr. Speaker, when the Obama Administration 
launched Healthcare.gov, Americans were led to believe that the website 
was safe and secure. As the Science, Space, and Technology Committee 
learned at our hearing in November, this was not the case.
  Healthcare.gov comprises one of the largest collections of personal 
information ever assembled.
  The Administration has a responsibility to ensure that Americans' 
personal and financial data is secure. And individuals should be 
notified when their personal information has been compromised.
  Instead, the Centers for Medicare and Medicaid Services chose not to 
notify individuals when a security breach occurs.
  This bill makes sure that individuals get the information they need 
to protect themselves.
  By alerting users when a security breach occurs on the ObamaCare 
website, they can take action to limit the consequences.
  If the Administration won't protect the privacy and security of 
Americans, then Congress should.
  The SPEAKER pro tempore. All time for debate has expired.
  Pursuant to House Resolution 455, the previous question is ordered on 
the bill.
  The question is on the engrossment and third reading of the bill.
  The bill was ordered to be engrossed and read a third time, and was 
read the third time.
  The SPEAKER pro tempore. The question is on the passage of the bill.
  The question was taken; and the Speaker pro tempore announced that 
the ayes appeared to have it.
  Mr. PALLONE. Mr. Speaker, on that I demand the yeas and nays.
  The yeas and nays were ordered.
  The vote was taken by electronic device, and there were--yeas 291, 
nays 122, not voting 19, as follows:

                             [Roll No. 11]

                               YEAS--291

     Aderholt
     Amash
     Amodei
     Bachmann
     Bachus
     Barber
     Barletta
     Barr
     Barrow (GA)
     Barton
     Benishek
     Bentivolio
     Bera (CA)
     Bilirakis
     Bishop (NY)
     Bishop (UT)
     Black
     Blackburn
     Boustany
     Brady (TX)
     Braley (IA)
     Bridenstine
     Brooks (AL)
     Brooks (IN)
     Broun (GA)
     Brownley (CA)
     Buchanan
     Bucshon
     Burgess
     Bustos
     Byrne
     Calvert
     Camp
     Campbell
     Cantor
     Capito
     Capps
     Capuano
     Carney
     Cartwright
     Cassidy
     Chabot
     Chaffetz
     Cicilline
     Coble
     Coffman
     Cole
     Collins (GA)
     Collins (NY)
     Conaway
     Connolly
     Cook
     Costa
     Cotton
     Cramer
     Crawford
     Crenshaw
     Cuellar
     Culberson
     Daines
     Davis, Rodney
     DeFazio
     Delaney
     Denham
     Dent
     DeSantis
     DesJarlais
     Diaz-Balart
     Doggett
     Duckworth
     Duffy
     Duncan (SC)
     Duncan (TN)
     Ellmers
     Enyart
     Esty
     Farenthold
     Fincher
     Fitzpatrick
     Fleischmann
     Fleming
     Flores
     Forbes
     Fortenberry
     Foster
     Foxx
     Franks (AZ)
     Frelinghuysen
     Gallego
     Garamendi
     Garcia
     Gardner
     Garrett
     Gerlach
     Gibbs
     Gibson
     Gingrey (GA)
     Gohmert
     Goodlatte
     Gosar
     Gowdy
     Granger
     Graves (GA)
     Graves (MO)
     Griffin (AR)
     Griffith (VA)
     Grimm
     Hahn
     Hall
     Hanabusa
     Hanna
     Harper
     Harris
     Hartzler
     Hastings (WA)
     Hensarling
     Himes
     Holding
     Horsford
     Hudson
     Huelskamp
     Huizenga (MI)
     Hultgren
     Hunter
     Hurt
     Israel
     Issa
     Jenkins
     Johnson (OH)
     Johnson, Sam
     Jordan
     Joyce
     Kaptur
     Keating
     Kelly (PA)
     Kilmer
     King (IA)
     King (NY)
     Kingston
     Kinzinger (IL)
     Kirkpatrick
     Kline
     Kuster
     Labrador
     LaMalfa
     Lamborn
     Lance
     Langevin
     Lankford
     Latham
     Latta
     Lipinski
     LoBiondo
     Loebsack
     Lofgren
     Long

[[Page H150]]


     Lucas
     Luetkemeyer
     Lujan Grisham (NM)
     Lujan, Ben Ray (NM)
     Lummis
     Lynch
     Maffei
     Maloney, Carolyn
     Maloney, Sean
     Marchant
     Marino
     Massie
     Matheson
     McAllister
     McCarthy (CA)
     McCaul
     McHenry
     McIntyre
     McKeon
     McKinley
     McMorris Rodgers
     Meadows
     Meehan
     Messer
     Mica
     Michaud
     Miller (FL)
     Miller (MI)
     Miller, Gary
     Mullin
     Mulvaney
     Murphy (FL)
     Murphy (PA)
     Neugebauer
     Noem
     Nolan
     Nugent
     Nunes
     Nunnelee
     Olson
     Owens
     Palazzo
     Paulsen
     Pearce
     Perry
     Peters (CA)
     Peters (MI)
     Peterson
     Petri
     Pingree (ME)
     Pittenger
     Pitts
     Poe (TX)
     Pompeo
     Posey
     Price (GA)
     Radel
     Rahall
     Reed
     Reichert
     Renacci
     Ribble
     Rice (SC)
     Rigell
     Roby
     Roe (TN)
     Rogers (AL)
     Rogers (KY)
     Rogers (MI)
     Rohrabacher
     Rokita
     Rooney
     Ros-Lehtinen
     Roskam
     Ross
     Rothfus
     Royce
     Runyan
     Ryan (WI)
     Salmon
     Sanford
     Scalise
     Schneider
     Schock
     Schrader
     Schwartz
     Schweikert
     Scott, Austin
     Sensenbrenner
     Sessions
     Shea-Porter
     Sherman
     Shimkus
     Shuster
     Simpson
     Sinema
     Smith (MO)
     Smith (NE)
     Smith (NJ)
     Smith (TX)
     Southerland
     Speier
     Stewart
     Stivers
     Stutzman
     Terry
     Thompson (PA)
     Thornberry
     Tiberi
     Tierney
     Tipton
     Titus
     Turner
     Upton
     Valadao
     Vela
     Wagner
     Walberg
     Walden
     Walorski
     Walz
     Weber (TX)
     Wenstrup
     Westmoreland
     Whitfield
     Williams
     Wilson (SC)
     Wittman
     Wolf
     Womack
     Woodall
     Yoder
     Yoho
     Young (AK)
     Young (IN)

                               NAYS--122

     Andrews
     Bass
     Beatty
     Becerra
     Bishop (GA)
     Blumenauer
     Bonamici
     Brady (PA)
     Brown (FL)
     Butterfield
     Cardenas
     Carson (IN)
     Castor (FL)
     Castro (TX)
     Chu
     Clark (MA)
     Clarke (NY)
     Clay
     Clyburn
     Cohen
     Conyers
     Courtney
     Crowley
     Cummings
     Davis (CA)
     Davis, Danny
     DeGette
     DeLauro
     DelBene
     Deutch
     Dingell
     Doyle
     Edwards
     Ellison
     Engel
     Eshoo
     Farr
     Fattah
     Frankel (FL)
     Fudge
     Grayson
     Green, Al
     Green, Gene
     Grijalva
     Gutierrez
     Hastings (FL)
     Heck (WA)
     Higgins
     Hinojosa
     Holt
     Honda
     Hoyer
     Huffman
     Jackson Lee
     Jeffries
     Johnson (GA)
     Johnson, E. B.
     Kelly (IL)
     Kennedy
     Kildee
     Kind
     Larsen (WA)
     Larson (CT)
     Lee (CA)
     Levin
     Lewis
     Lowenthal
     Lowey
     Matsui
     McCollum
     McDermott
     McGovern
     McNerney
     Meeks
     Meng
     Miller, George
     Moore
     Moran
     Nadler
     Napolitano
     Negrete McLeod
     O'Rourke
     Pallone
     Pascrell
     Pastor (AZ)
     Payne
     Pelosi
     Pocan
     Polis
     Price (NC)
     Quigley
     Rangel
     Richmond
     Roybal-Allard
     Ryan (OH)
     Sanchez, Linda T.
     Sanchez, Loretta
     Sarbanes
     Schakowsky
     Schiff
     Scott (VA)
     Scott, David
     Serrano
     Sewell (AL)
     Sires
     Swalwell (CA)
     Takano
     Thompson (CA)
     Thompson (MS)
     Tonko
     Tsongas
     Van Hollen
     Vargas
     Veasey
     Velazquez
     Visclosky
     Wasserman Schultz
     Waters
     Waxman
     Welch
     Wilson (FL)
     Yarmuth

                             NOT VOTING--19

     Carter
     Cleaver
     Cooper
     Gabbard
     Guthrie
     Heck (NV)
     Herrera Beutler
     Jones
     McCarthy (NY)
     McClintock
     Neal
     Perlmutter
     Ruiz
     Ruppersberger
     Rush
     Slaughter
     Smith (WA)
     Stockman
     Webster (FL)

                              {time}  1054

  Messrs. LYNCH and SAM JOHNSON of Texas, Ms. HAHN, Mr. CICILLINE, Ms. 
SPEIER, and Mr. LANGEVIN changed their vote from ``nay'' to ``yea.''
  So the bill was passed.
  The result of the vote was announced as above recorded.
  A motion to reconsider was laid on the table.
  Stated for:
  Mr. WEBSTER of Florida. Mr. Speaker, on rollcall No. 11, had I been 
present, I would have voted ``yes.''


                          personal explanation

  Mr. CLEAVER. Mr. Speaker, due to a medical procedure, I was unable to 
vote the week of January 7th. On Tuesday, January 7, I would have voted 
``present'' on rollcall vote No. 1 (Quorum).
  On January 8, I would have voted ``yes'' on rollcall vote No. 2 (H.R. 
721), ``yes'' on rollcall vote No. 3 (H.R. 3527), and ``yes,'' on 
rollcall vote No. 4 (H.R. 3628).
  On January 9, I was also unable to vote. Had I been present, I would 
have voted ``no'' on rollcall vote No. 5 (Ordering the Previous 
Question), ``no'' on rollcall vote No. 6 (H. Res. 455), ``yes'' on 
rollcall vote No. 7 (Sinema Amendment No. 1), ``yes'' on rollcall vote 
No. 8 (Tonko Amendment No. 2), ``yes'' on rollcall vote No. 9 (Motion 
To Recommit with Instructions), and ``no'' on rollcall vote No. 10 
(Final Passage of H.R. 2279).
  On January 10, I would have voted ``no'' on rollcall vote No. 11 
(Final Passage of H.R. 3811).

                          ____________________