A contractor heavily involved in repairing HealthCare.gov was previously criticized for endangering the personal data of more than 6 million government beneficiaries through insufficient security controls.
Lax data safety at Quality Software Services, Inc. (QSSI) was deemed a "high" risk in a June probe by federal investigators who revealed the company had failed to stop its employees from connecting unauthorized USB devices to highly sensitive Medicare systems.
The unhindered access to USB ports raised the possibility that workers could have introduced malware to Medicare's systems or "inappropriately accessed" personally identifiable details, the report stated.
The information of more than 6 million Medicare beneficiaries was at "greater risk from malware, inappropriate access or theft" as a result, wrote HHS Assistant Inspector General Kay Daily.
Slack government data controls are a major issue given the ongoing ramifications of information leaked by ex-National Security Agency contractor Edward Snowden and Army soldier Bradley Manning. The two allegedly used USB devices to obtain and distribute government secrets.
A spokesperson for QSSI said the company implemented many of the OIG's recommendations prior to the report's publication.
“QSSI is dedicated to the highest standards of information security in our work," the company said in a statement. "We implemented all of the enhancements recommended by the OIG prior to the publication of the final report, and informed CMS of our actions." The issue is also relevant to debates over the ongoing rollout of President Obama's healthcare law.
While the investigation pertained solely to QSSI's work on a Medicare contract, the results are sure to raise questions about the company's role in constructing and repairing ObamaCare's troubled enrollment website.
Republicans have accused the Obama administration of failing to ensure the safety of consumers' personal data in the new system. This charge has become a cornerstone for GOP attacks on the implementation of the Affordable Care Act.
QSSI's duties under the rollout are also growing, which will add to the scrutiny. The company, based in Columbia, Md., was appointed last week to serve as "general contractor" on the repair effort at HealthCare.gov.
The firm also built the ObamaCare site's troubled registration tool as well as its data hub, which HHS has praised as "functioning well."
In her report, Daily noted that QSSI vowed to correct the security risks by revising its policies, implementing "read only" restrictions for its USB ports and scanning all portable devices to "detect malicious code."
These changes were documented in a letter to HHS from a company official, Anh Tran.
The federal Health department did not respond to a request for comment.
— This story was updated at 11:15 a.m. Friday.