Congressional Scrutiny for CHS Breach?

Rep. Cummings Seeks Hearing on Community Health Systems
Congressional Scrutiny for CHS Breach?
Rep. Elijah Cummings

While a Congressional committee will hold a hearing this week to probe security issues in the wake of the recent hacking of a test server for the Obamacare website, the ranking member of the panel says it's more urgent to schedule a hearing on the massive Community Health Systems breach.

See Also: Live Webinar | Navigating the Difficulties of Patching OT

Also this week, the panel - the House Committee on Oversight and Government Reform - will hold a hearing on Tiversa, the peer-to-peer security intelligence firm at the center of an ongoing data security dispute between medical test lab firm LabMD and the Federal Trade Commission (see Latest Legal Twists In FTC, LabMD Saga).

Rep. Elijah Cummings, D-Md., sent a letter on Sept. 9 to House Oversight Committee Chair Darrell Issa, R-Calif., requesting the panel hold a hearing "to investigate the cause and effect of a very serious data breach at Community Health System."

That breach, which was revealed by the hospital chain in an Aug. 18 8-K filing with the Securities and Exchange Commission, is believed by security experts to have involved Chinese hackers who may have taken advantage of the Heartbleed flaw. The incident compromised information on 4.5 million patients.

"Over the past year, the committee has been investigating the security of the website. This investigation has involved numerous public hearings, more than a million pages of documents from federal agencies and private contractors, and 18 transcribed interviews," Cummings wrote in his Sept. 9 letter.

"To date, however, no personally identifiable information has been compromised as a result of malicious cyber attacks, although outside actors have repeatedly tried. Cybersecurity threats are an ongoing challenge for both the federal government and the private sector. For these reasons, I believe an investigation of the data security breach at Community Health Systems will help the committee learn from these witnesses about security vulnerabilities they have experiences in order to better protect our federal information technology assets."

A congressional source tells Information Security Media Group that Cummings has not yet received a response from Issa about his request for a hearing on the Communith Health Sytems breach, as well as his other request for hearing to probe the recent Home Depot breach.

Hearings This Week

On Sept. 18, one day after the Government Accountability Office plans to release a report on the security of that was requested by several member of Congress, the committee will hold a hearing titled: "Examining ObamaCare's Failures in Security, Accountability and Transparency" (see Expanded Scrutiny Sought).

The Department of Health and Human Services disclosed on Sept. 4 that malware had been uploaded on the Obamacare test server back in July. HHS officials say the malware was designed to launch a distributed-denial-of-service attack against other websites when activated and not designed to exfiltrate personally identifiable information. No consumer data was exposed in the incident, officials say (see HealthCare.Gov Server Hacked).

After HHS revealed the attack, Issa announced on Sept. 4 that HHS' Centers for Medicare and Medicaid Services Administrator Marilyn Tavenner "must testify" at the Sept. 18 committee hearing about "woes".

CMS did not respond to ISMG's request for comment on whether Tavenner will, in fact, testify at the committee's hearing.

LabMD Saga Continues

In another hearing, slated for Sept. 17, the House committee will examine Tiversa, the peer-to-peer security firm that's at the center of the ongoing data security dispute between medical test lab firm LabMD and the Federal Trade Commission.

A source tells ISMG that the hearing is expected to examine the Pittsburgh-based firm's practices related to providing to the FTC information about alleged security incidents that the commission pursues for potential enforcement actions.

In a statement to ISMG, a Tiversa spokeswoman says, "Tiversa has cooperated with the inquiry being conducted by the House Committee on Oversight and Government Reform, providing 30,000 pages of documents and making available seven current and former employees for interviews, including Robert Boback," CEO of the company. Boback will tesify at the hearing, she says. "Tiversa looks forward to this matter coming to closure as the committee understands its inquiry is unfounded."

The FTC did not respond to ISMG's request for comment on the hearing.

Representatives for Issa's office did not respond to ISMG's request for more details about this week's hearings. As of the morning of Sept. 16, the Oversight Committee had not yet posted a list of witnesses slated to appear at the hearings.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.