105 comments

[ 2.4 ms ] story [ 192 ms ] thread
Passing this sort of data in analytics requests is mind-boggingly-stupid.

Most analytics providers explicitly tell you not to pass along Personally Identifiable Information (PII). Their Terms of Contract usually state doing so is a terminable offense. It's part of the training process to be certified by most providers.

Basically, this only highlights how terrible the programmers at healthcare.gov are.

We can blame the programmers, but who is ultimately responsible. The Whitehouse is the executive branch; they are paid to execute and ultimately this is entirely their responsibility. They are the project managers of this entire mess. Now imagine those same people deciding your medical treatment. It's just sheer incompetence disguised as politics. Of course a more subversive view would suggest that this was engineered in order to pave the way for single payer. The Soviets built better cars than the US government builds websites.
Last I checked, the Affordable Care Act really didn't involve anyone at the Executive Branch deciding on what medical treatment I could get. Downvoted for fearmongering and paranoid speculation. (purposely botched implementation of a large software project to make single payer easier? Because the Tea Party shutting down the US government to try to block this healthcare bill makes it likely we will see single payer pass?)
Actually if the Independent Payment Advisory Board fails to develop a proposal should costs exceed certain thresholds then the Secretary of Health and Human services must submit a proposal themselves which they must implement.

Since all appointees to this committee must be agreed upon by the Executive Branch as well as both minority and majority leaders from each party (hence 12 from Congress with the Presidents approval/recommendation) and 3 from the President, yes the Executive branch could very well determine what health options are available too you.

The real issues before us now are.

1) why can the Secretary of Health and Human Services even refuse to divulge enrollment numbers? 2) why is the same not keeping the President fully aware or made aware of the problems the site faced before launch and after (conspiracy advocated claim the President knew) 3) By regulating what must be covered and not covered they are deciding what you can have and have not. Remember, there are a lot of gray areas in the law which the Secretary has shown more than enough interest in creating actual rules.

Of course, the nice part is that since they do have analytics (as terribly implemented as it appears to have been), we can force enrollment number disclosure by filing a FOIA request for the web analytics data.

Which, incidentally, I did today before this story broke.

You can still by supplemental insurance, so they aren't regulating what you can have, they are regulating the minimum floor.
Obamacare is not a "minimum floor" it is a full suite of mandated coverage for every politically connected medical sector.
Yes, its a minimum floor. And there are many plans that offer more than the ACA minimum.

You may not like where the minimum is set, but that doesn't make it anything but a minimum floor.

> they aren't regulating what you can have, they are regulating the minimum floor.

This is utter nonsense on its face. If I have (or want) something under the minimum floor, they have regulated that away from me. They have regulated what I can have.

They also regulated away spoiled beef in stores, non smoke detectors equipped bedrooms and poisoned tap water. You can't have it. Minimum floor.
Indeed. I'm simply asking that we call a spade a spade.
Some municipalities mandate the addition of sodium fluoride in their public water systems. Sodium fluoride is a poison, so it's not necessarily accurate to claim they have 'regulated away' poisoned tap water.
No one drinking publicly fluoridated tap water in the US is coming even close to a toxic dose. You might as well call all caffeinated beverages toxic given the toxic dose of caffeine is 1/30th that of sodium fluoride.
The difference is that said municipalities mandate that this toxic substance be added to people's water. With soda, people have more direct awareness and choice. With communal water, many people remain trusting and assuming. Meanwhile, there is no hard, double-blind science backing any clear benefits of fluoridation; yet the negatives keep growing. The EPA lowers their "recommended maximum" continually throughout the years, as pressure for sanity builds. Sane countries banned fluoridation long ago. Furthermore, the more it infects the food chain, the more "a little bit" adds up. It doesn't magically stay contained in tap water alone. Sure, it won't matter to most people, even not on principle alone. It will matter to some people, though, in compounding their chronic health problems. And that matters to me.

Then there is ethics.

Ethics and choice matter. Even if there were startling net benefits to this very toxic substance, using or ingesting it should be exclusively on an individual basis: personal choice, OTC, or per a physician. Advocating for needlessly and forcefully "medicating" (read: it's not medicine) other people through their communal water supply is, in no uncertain terms, blatantly unethical. It seems to stem from either psychopathy, greed, or sheer ignorance. It's on the same order as an industry and some physicians promoting nicotine cigarettes for health, once upon a time, and other such barbarities of an era.

Most things that are considered to be medicine are pretty toxic. It's the dose that makes them into medicine.

Some of this is because to be a medicine, a substance sort of needs to have a noticeable effect on our biology.

I appreciate your comment. You caught my conventional language and prodded me. I should be more careful. Toxicity is a factor of everything in medical science involving substances. ...in life rather. Medicine of all various forms is vast, highly varying per person, often contradictory over time in understanding, and constantly evolving. Conventionally, I consider medicine to be [something that is beneficial down to the personal level].

I'll rephrase. It isn't good medicine.

Fluoride treatments and water fluoridation are medicines like mercury treatment was once medicine. Explicit forms of "medication" must be relegated solely to an individual's active consent when consent is possible. That means a conscious choice to partake in the "medicine," on or in one's body, without medicating other people in the treatment. That's basic ethics. The benefit:negative ratio would have to be astronomically high to justify any less standard where medicine is concerned.

Medicine is very personal. Speaking for myself, when an extremely toxic substance to humans, no matter the dose, is intentionally added to something as important as water and thus a food chain, it has already lost the ethical equation. Massively "medicating" passive "patients" through the water supply is just sad. Worse still, ingesting fluoride hasn't been justified on any beneficial, medical level -- and quite the opposite with negatives. Thus, it's hard for me to associate the term "medicine" with it. I completely concede to that point though.

Wow, I didn't know fluoride conspiracy theorists still existed. Thanks.
That's a snide dismissive. I encourage you to not be condescending to others for making statements against your preconceived notions. You may support ingesting fluoride for yourself, for whatever reason. I'd also encourage you to research it with a more skeptical and intellectual spirit, if only for the sake of your health.

How you treat others and yourself is up to you, of course. Beyond your personal choices, you'll then have a titanic task of providing basis for your support of fluoride as a medicine to the point where you justify medicating the rest of your community through its water supply.

The difference is that said municipalities mandate that this toxic substance be added to people's water.

That horribly toxic chemical chlorine is added to water too. It is significantly more toxic than sodium fluoride. It also happens to be responsible for the greatest improvement in public health in the 20th century.

Sane countries banned fluoridation long ago.

Most countries who don't fluorinate water didn't ban it. They simply never implemented it or stopped implementing it because it is quite expensive and technically difficult to do well. Instead many simply add fluoride to their table salt (like France, Germany, Switzerland) or heavily pushed topical fluoride applications. The countries that have neither (like say Japan), tend to have significantly worse dental health than the US.

Meanwhile, there is no hard, double-blind science backing any clear benefits of fluoridation

You must be kidding. We have long-term longitudinal studies that clearly show the benefits and safety. Every decade, someone puts out a review paper[1] of the studies and comes to the same conclusion, fluoridation at low levels is good. We have scientific consensus that it is beneficial.

1. http://www.nature.com/ebd/journal/v9/n2/full/6400578a.html

Chlorine has a clear justifiable use and is easy to remove. Hence, filtration is very popular and recommended to remove chlorine and other contaminants. Water treatment serves to bring a base level of safety. That which does not kill one quickly is not equivalent to that with which one should be satisfied.

Fluoridation, alternatively, is not easy to remove. Fortunately, I can afford distillation and reverse osmosis. Many other people can't. I'm not sure why you're so eager to medicate the water supply when more studies, decade after decade, present more negatives. Positive fluoride studies are notorious for conflating correlation with causation, especially in light of the more direct causation of cultural advances in education for merely brushing teeth as well as access to dental care. There is a lack of evidence showing significant variance in dental caries between fluoridated and non-fluoridated municipalities. That should alarm you. Fluoride accumulates. For whatever reason, you don't seem interested in its negatives.

Again...

Even if there are light or even startling benefits, it does not make valid the ethics of mass medication. You may feel strongly about wanting everyone to have fluoride. I suggest voicing your pro-fluoridation stance in a more positive way rather than advocating it be done through a water supply where it's very hard to remove, and compounds. Maybe advocate for "free fluoride tablets" and fluoride-filled toothpaste if you must. Don't include others in your treatment.

The difference is that said municipalities mandate that this toxic substance be added to people's water.

That horribly toxic chemical chlorine is added to water too. It is significantly more toxic than sodium fluoride. It also happens to be responsible for the greatest improvement in public health in the 20th century.

Sane countries banned fluoridation long ago.

Most countries who don't fluorinate water didn't ban it. They simply never implemented it or stopped implementing it because it is quite expensive and technically difficult to do well. Instead many simply add fluoride to their table salt (like France, Germany, Switzerland) or heavily pushed topical fluoride applications. The countries that have neither (like say Japan), tend to have significantly worse dental health than the US.

Meanwhile, there is no hard, double-blind science backing any clear benefits of fluoridation

You must be kidding. We have long-term longitudinal studies that clearly show the benefits and safety. Every decade, someone puts out a review paper[1] of the studies and comes to the same conclusion, fluoridation at low levels is good. We have scientific consensus that it is beneficial.

1. http://www.nature.com/ebd/journal/v9/n2/full/6400578a.html

You aren't being forced at gunpoint by the IRS to drink tap water. You are free to buy whatever water you want. You are being forced to buy insurance. A very big difference.
you're not forced to buy insurance. There is a new tax and you're just given a chance to avoid it by buying some specific product. For example i avoid some taxes by paying mortgage. Nobody forces me to have a mortgage or medical insurance. Either of it just reduces taxes and provides some benefits to me as perceived to me.
They both use force. Putting heavily toxic, hard-to-remove substances into tap water -- as additives rather than as "necessary" treatments -- is, I would hope, an action considered aggressive and highly unethical to many people. Consider the degree to which people are now dependent on municipal water and the degree to which water is crucial to sustain life. I would call poisoning a water supply a form of force. It's physical and economic taxation, mostly hurting poor people (who can't afford proper filtration). And it's to the detriment of an entire food chain.

Under the new health insurance law, the penalty for not buying health insurance is a fine. I forget the yearly amount: $500-1000 (depending)? Yes, that's a form of force. The amount of the fine and who it impacts is the amount of force. It's economic taxation. It also further opens up a slippery slope in the ability for such forms of force to be used increasingly in other aspects of government and society. That's another topic.

Both propositions are easily argued as forms of force. They could easily be argued as unjustified compared to other systems and methods. However, for now, I'd argue that contaminating water is a larger form of force.

Spoiled beef is quite a different thing from requiring a 60 year old man to buy maternity coverage.
You mean spreading the cost of maternity coverage across all policyholders. Perhaps you're not aware of how insurance works, spreading risk and all that jazz.

Have healthcare system where costs are externalized? People complain. Have healthcare system where costs are internalized and properly accounted for? People complain.

1) You don't get to tell me what I "mean". 2) I'm quite aware of how insurance works. Please do share with us the probability of a 60 year old man becoming pregnant, then explain why that "risk" needs to be "spread".
I wonder what the probability of a 60 year old man getting his lovely partner pregnant might be? That looks like a reason for spreading risk to me.
Given that the law also requires the lovely partner to have her own coverage, I think your "reason" is dubious at best.
Also note that the law requires 60 year old women to buy maternity coverage. Is their lovely partner going to make them pregnant?

Given that the Guinness record for the oldest natural conception is 59, I think not (there are a few cases of older women giving birth, but those all involved in vitro fertilization or the like).

What other astoundingly unlikely events do you guys think people should be required to insure against? Meteor impact? Virgin birth? All the molecules of air rushing to one side of the room and suffocating you?

(comment deleted)
well, i truly doubt that the law mandates for male coverage to include maternity or female coverage - prostate cancer. The law just mandates the same insurance price for males and females.

It is pretty much the same as me paying [through taxes] for the FDA beef inspectors even though i don't eat beef. Just a socialization of the cost of basic government services (healthcare is among them, it is just Republicans are slower as usual to recognize the facts of reality, and thus "socialization" of the cost happens inside an insurance pool instead of society-wide as it would be in the case of single-payer )

"well, i truly doubt that the law mandates for male coverage to include maternity or female coverage - prostate cancer."

You're wrong. The law says what the policy has to cover. Whether the policy holder is male or female doesn't enter into it.

"It is pretty much the same as me paying [through taxes] for the FDA beef inspectors"

Really? Since when is the FDA (actually, USDA in this case) a private, for-profit operation?

>Really? Since when is the FDA (actually, USDA in this case) a private, for-profit operation?

i already addressed that - the Republicans forced for it to be done through private for-profit operations instead of a government agency like FDA/USDA/etc...

Actually, have you read the entire bill? If Government is controlling the insurance, they are controlling the care. And yes, if the Affordable Care Act forces insurers to leave markets, then the only thing left would be a call for single payer.

Harry Reid even said that Obamacare is "absolutely" a step towards single payer.

And, by the way, the calls for Single Payer because of the Obamacare "mess" are starting, Paul Krugman seems to be leading the charge along with others.

So could making the Obamacare rollout rougher than necessary prime the pump for a single payer push? I don't know, could closing the WWII memorial and Mt. Rushmore scenic roadside stops make the government shutdown worse than it needed to be to make a political point? The White House would never do that would they? That's just paranoid conspiracy stuff right? Strangely enough the Andrews Air Force Base golf course stayed open during the shutdown but the privately run Mt. Vernon (who happens to lease land from the Park Service) was forced to close. The even closed the Normandy beach in France! Yet, I had no problems getting a routine consular appointment during the shutdown in Marseille.

It's not paranoia if it's really happening.

http://www.healthcare-now.org/sen-reid-obamacare-absolutely-...

http://www.forbes.com/sites/paulroderickgregory/2013/10/28/o...

Actually, what I think about is the recent government shutdown where the administration went out of its way to close monuments even when those monuments required no federal funds to keep running... even those monuments that had remained open during previous shutdowns.

Obviously we witnessed an administration that wanted to really put the screws to the voting public to score political points.

Now imagine when they want to do something similar with your healthcare.

If I were forced to choose between the following 3 entities/groups as to who the factual evidence suggests was trying to "put the screws to the voting public":

1. Presidency

2. Repubs in Congress

3. Dems in Congress

I'd have to pick #2. Overwhelming disposition of evidence pointing in that direction.

In the spirit of your point: now imagine what those folks would be willing to do to your healthcare. Actually, we don't have to imagine. Look at their actions.

Since these is not typically a political discussion forum, at least outline your "overwhelming" factual evidence.
What evidence do you have that the administration had anything to do with shutting down monuments? Something like that is at the discretion of the director of a given federal agency. Now maybe the director of the National Park Service decided that he was going to shut monuments down as a matter of politics, but you have to recognize that there are good reasons to do so.

In DC in the last year we had a vandal deface the Lincoln Memorial and the National Cathedral. If during the shutdown the National Park Service just left all of the monuments unguarded and someone took a hammer to the nose of a statue of Jefferson, that'd be a humongous price to pay. In a national park, without park rangers to rescue people, if someone got themselves into trouble and died, that would be worse than ruining some people's vacations.

It is possible that the White House ordered parks and monuments closed for political reasons, but that's all speculation at this point. No different than speculating that George W. Bush allowed 9/11 to happen to justify invading Iraq.

Perhaps you need a civics lesson. The national parks service is part of the department of the interior which is run by the Secretary of the Interior who reports to the President. We can't constantly keep blaming underlings. At some point the President of the United States is involved. He certainly didn't shutdown Healthcare.gov yet other HHS sites were shut down. Interesting. No money for Pubmed but plenty for Healthcare.gov
In this case I'm not blaming underlings, I'm just saying that there is no verifiable evidence that the White House ordered park and monument closings. The head of the National Parks Service could have made a decision to keep things open, or he could have made a decision to close things. The Secretary of the Interior could have done the same.

Do you have any evidence that the president sent out an order to close the parks and monuments? In that case, yes he is responsible. Otherwise you are just speculating, just like everyone else.

If you want to make the argument that ultimately the president is responsible for everything that happens on his watch, that's a different argument. The parent post was saying that Obama sent an order to close the parks.

We've been at sequestration level funding for months. Some agencies moved things around to minimize disruption, some didn't. Do you think the president sent orders down to individual agencies on how to mitigate the effects of sequestration, but didn't send that guidance to others? It's possible, but it is more likely that the different agencies figured things out for themselves and some made out better than others.

I don't have any authoritative source to confirm or deny why certain things were closed, but I would like to point out that there were some rangers still on duty and search and rescue employees on hand to rescue people in National Parks.
What evidence do you have that the administration had anything to do with shutting down monuments?

You have to really be taking big gulps of the Kool Aid to have missed all the stories about how far park services went to deliberately shut down monuments. There were even reported stories of government officials showing up at some independent park operators who were utilizing government land. They ordered those parks shut down. So they didn't have money to operate parks but they had money to send people to shut down parks the government doesn't even operate?

If you start questioning the official line from the Administration, you might ask why the President and his spokespeople kept threatening default on national debts when the servicing of the debt is mandated by the 14th Amendment and easily accomplished with one tenth of the incoming federal revenues. It was all a big house of cards once you started looking at it.

It's a bit ridiculous to accuse Kool Aid drinking when you haven't provided any evidence that the White House directly ordered NPS to close parks and monuments. It certainly is possible, but where is the proof? Even an off-the-record statement from a WH official would suffice.

There are plenty of reasons to not take Obama's word at face value, and there are plenty of real things to criticize him over without making up stuff.

According to the article, Marilyn Tavenner is responsible for authorizing the security checks to be skipped, along with several other administrators at HHS.

Now, I would argue that Sibelius is ultimately responsible for setting unrealistic timelines, and general culture at HHS, but without a smoking gun I'm not going to blame the President. Yet. Although I think he entrusted his only signature act in the hands of a very incompetent woman, and gave her carte blanche for 3 years.

The programmer responsible (and his QA) should still be relegated to typewriters for the rest of their careers.

The fault lies with Sebelius, however the same logic would absolve Bush of Rumsfeld's errors.
To me the question is, once the president learns of the incompetence of a subordinate, what action does he take? Does the president hold the subordinate accountable, and fire them? Or does the president just let them keep on bungling.

Rumsfeld eventually resigned, but Bush didn't push him out, meaning Bush owns Rumsfeld's failures. In my opinion, if Obama doesn't hold Sebelius and Clapper accountable, he owns their incompetence and misconduct.

The US Government is accountable, yes. I'll even buy that the executive branch is the accountable party, given the role of implementing laws and programs. However, calling them the project manager of the site and then extending that to directly making medical treatment decisions is pretty crazy. If Amazon screws up my toilet paper order, does that mean they're automatically incompetent at auto-scaling my EC2 instances?

For what it's worth, there's some crazy delegation of tasks in the ACA. For over a year now, I've been on the interim Preexisting Condition Insurance Program. (expires 12/31, so I'm in a bit of freakout mode, but that's another story for another time ....) It's administered by the Department of Agriculture. Ummm.... moo?

The Whitehouse is the executive branch; they are paid to execute and ultimately this is entirely their responsibility. They are the project managers of this entire mess. Now imagine those same people deciding your medical treatment. It's just sheer incompetence disguised as politics.

The executive branch has 2.1 million employees and is structured as set of a dozen subsidiary companies each with dozens of subsidiary companies. It is impossible for the Whitehouse, any Whitehouse, to manage except in a completely delegatory way. The idea that someone at the Whitehouse is going to be doing checkins with the contractors brought in to build a website is, frankly, laughable considering the number of things competing for attention.

I mean, would you call Warren Buffet incompetent if GEICO rolled out a faulty website because he ultimately controls it?

Ok, so who the hell is in charge then? After all, The Affordable Car Act is the President's "Signature Legislative Achievement." So You going to simply say that the President isn't responsible because he has too many employes and can't possibly manage. That's a scary thought because the President is also in charge of another large organization -- the military. So your logic would suggest that the President isn't responsible for the acts of the military, yet in the same breath folks have no problem blaming Bush for Abu Ghraib.

As Harry Truman said, the buck stops here. By the way, Warren Buffet isn't the CEO of GEICO. Tom Nicely is and yes, I would certainly call Mr. Nicely incompetent is a website they had over 2 years of lead time to build faild, especially if it were part of Mr. Nicely's "Signature" achievement and grand promise to revolutionize auto insurance for the company's customers. Should Steve Balmer be blamed for Windows Vista? Balmer had almost 100K employees, so obviously Vista couldn't have been his fault.

Guys, it's a damned website! It's essentially just a guided questionnaire. The "tough" part is that it probably has to talk to insurance company APIs. Other than that, it was purely a greenfield project. I'm sure we could assemble a team of 10 guys (or girls) from right here in Hacker News and could build a better product in 25% of the time at 1/100th of the cost. Actually, I would go so far as to say that the basic functionality could be built with a team of 6 with a budget of $500K. Remember, this site ISN'T administering insurance. It's Kayak for insurance -- that's pretty much it.

There is NO excuse for this level of incompetence. If I built healthcare.gov for a private client I wouldn't have been paid. I probably would have been sued. Yet according to the person to whom I am replying, The White House bears no responsibility because the government is just too damned big for the President to be responsible.

I didn't elect the President to suck, but that's what's happening.

> That's a scary thought because the President is also in charge of another large organization -- the military. So your logic would suggest that the President isn't responsible for the acts of the military, yet in the same breath folks have no problem blaming Bush for Abu Ghraib.

Something being scary doesn't make it untrue. It would not particularly surprise me if the first that Bush heard of Abu Ghraib was when it hit the news.

There are of course relative degrees of responsibility - you are responsible for the people you hire, and if you have few concerns then your responsibility for those concerns individually goes up since you have more time to devote to oversight on them. But do any of us think that a president has few concerns and is directly involved with hiring three or four levels of abstraction beneath them?

The reason Bush is blamed for Abu Gharaib is because guidance came from the White House that torture was authorized in order to gain intelligence. Very different than if some subordinates tortured people of their own accord.

Healthcare.gov is not just a damned website. The backend has to integrate with the IRS, Medicare/Medicaid, Social Security, private insurance companies, and the various state exchanges. No you could not have assembled a team of 10 developers in 25% of the time for 1% of the cost. No offense but you clearly are not familiar with any of the details of why healthcare.gov failed.

Requirements came in so late that development didn't start until March, giving them at the most, 7 months of time to develop this thing. So you're saying that a team of 10 could've gotten this thing built in less than 2 months? And that this fictional team could've gotten away with 1 week of full integration testing? The government integrators (CMS) didn't make that full test happen until 1 week before launch.

I agree that there is no excuse for this level of incompetence, but a lot of that incompetence is on the part of the customer. An ill-prepared group was given systems integration responsibilities, requirements came in very late and they were changing right up to release, not enough time was allocated to integration testing, and no one sounded the alarm that this was going to be a disaster.

Now maybe the president knew, maybe he didn't. The responsibility for something like this would've fallen on Kathleen Sebelius. Did she know the project was off the rails? Did she inform the White House? If she didn't know, she didn't do her job, if she did know and didn't sound the alarm, she didn't do her job. The only scenario where she is not to blame is if she sounded the alarm to the president, and the president told her to push ahead. So far there has been no indication that this was the case.

By the way, Warren Buffet isn't the CEO of GEICO. Tom Nicely is

I picked GEICO because it is a wholly owned subsidiary of Berkshire Hathaway. Berkshire Hathaway's CEO is of course, Warren Buffet. Warren Buffet has the power to fire Tim Nicely the same way Barack Obama has the power to fire Kathleen Sebelius. Both of them however have very little daily direct interactions with projects at their subsidiary organizations.

It also highlights that the privacy and security were not as important to management as launching the app on a fixed deadline.
Yes, in that the security checks were forced through. But that's not atypical - the security requirements for federal sites are amazingly complex to navigate, and even if the site was a) functional and b) secure in time for testing, it's likely they would have punted that down the road a bit, or even indefinitely.

The mind still boggles. If I was even asked by a client to put a password reset in analytics, I would report it to my manager immediately, then refuse the client's request. If the client didn't give up on tracking this, we'd have to stop working for them. That's how serious raw PII is in analytics.

You'd have to be seriously incompetent to even consider tracking a password request.

"Never attribute to malice that which is adequately explained by stupidity."

I think that situation was probably just sloppy coding of some sort, not an intentional act.

Reflecting on the blogger sourced by Arstechnica, you are correct.

The data is present in the URL (queryString) for the page, so there is nothing malicious about the analytics code, which is merely going about it's default of reporting the URL of the page.

Returning that sort of data in a queryString is still far outside the realm of common sense.

Of course.

They already had to do a password reset for everyone -- it's probably been breached already.

It's like they were running up against a deadline and just crunched the best they could. There is so much insanity in this project, and I say that as someone who more than anything wants this to succeed.
Crunching against tight deadlines is not abnormal in big IT projects.

Which is of course why big IT projects are such horrible things. The risks (some would say inevitable results) are well researched at this point.

There is a reason the world has switched to Agile or Agile-like processes. There is no reason a project with a 3 year timeline didn't have a build and testing starting at year 1 and continuing periodically.

There shouldn't have been any development by the start of September 2013. None, except fixing bugs found by testers.

The problem is that if you have a terrible customer holding the purse strings, no development methodology would save you. Maybe if CGI used an Agile process to develop this, they could've at least gotten a good start even though the requirements were horribly late and were changing all the way up to launch.

But we don't even know if they received enough requirements to start development before this year. We also don't know if the customer would've authorized them to start development before this year. Bad decisions and failings from the customer can doom projects like these very early in the process.

And even if CGI had used Agile and gotten as much done as they could, if you didn't get all of the requirements in time to implement them, you still probably couldn't launch. Politically HHS probably would not agree to launch without certain functionality completed. In a sane project if you're getting big requirements changes late in the game you'd either push them to another release or you'd push back the release date. Neither happened and predictably, disaster ensued.

Then there's the whole idiocy of allocating one week for full integration testing. Of course that test failed but again, no one sounded the alarm (at least not publicly).

I think we had enough punch bagging on this.
Until it's fixed, until it's worthy of the hard earned money spent on it (which is a considerable sum), no, we haven't had enough.

This is government accountability 101.

Agreed, as long as the "worthy" bit of your sentence remains the goal. This being an inherently political issue, probably 90% of the people grousing about how badly this works never wanted it to work at all (and probably 95% never would have used it anyway, being employed with existing health care options).

But to the extent that there are real people who want to purchase health plans through the federal exchange and can't: yes, this is a disaster and has to be fixed.

Wait wait wait. 2 failed wars costing over a trillion dollars, near-economic collapse due to the rollback of financial regulations, and NOW we're holding the government accountable?? Over healthcare.gov? Where the hell was everyone for the last 13 years?
Pretty sure the public voted a different party into the WH and senate due to some of those issues.

Regardless, it's not as though bigger problems make it so that smaller but still very large problems should be ignored. Similarly, one does not need to decide between foreign policy mistakes, nsa wiretaps, and bailouts to be angry about, you can be angry about all of them, and hold government officials responsible for all of them.

Besides which, healthcare.gov is a cornerstone of the affordable care act, which is a multi-trillion dollar endeavor.

The public also voted in a Republican House majority and flipped Ted Kennedy's seat to prevent a filibuster proof Senate majority to essentially prevent Obamacare being implemented without amendments.

Yet, it was "deem and passed" and here we are. Power to the people?

And remember when they were so angry at that they voted in the candidate that vowed to repeal Obamacare in the next election.

Wait.

Who was Mr. Romenycare, and prior to the election was notorious for being willing to say anything to get elected?

Coming from the "extreme right wing" side of the political spectrum, I assure you that few of us considered any "severely conservative" promise from Hairpiece Q. Motherf----- credible. The eGOP managed to hand us the single worst possible candidate in every way to run against Obamacare.

Ah yes. The "that guy failed so bad that my guy gets a free pass". Our bad. Move along people, nothing to see here.
(comment deleted)
Attempting to change the subject isn't going to work with this one.

Sorry, it just isn't.

The outrage rings hollow. It's not changing the subject.

The website has major problems. Shocking.

Sometimes, we should get out of our engineering bubble; it would put a perspective on things. It'll be fixed, but people will eventually forget about it.

Yes, it is precisely an attempt to change the subject. The whole "two failed wars...." bit is an attempt to deflect the conversation from the issue at hand.

Why not bring up the Teapot Dome Scandal? The Trail of Tears? The Mexican American War? Any number of other examples of Government Fail?

What you're trying to do is like a guy getting pulled over for speeding who grouses that the officer should be out catching burglars and muggers. It doesn't work in that situation either, as a rule.

You're free to have your opinion. As an IT professional, I can be dismayed at the rollout, but understand lots of IT projects fail.

If this is what it takes to get to single payer eventually, so be it. I expect the road to be bumpy.

My opionion? Fine. Explain why you brought in the "two failed wars" bit if not as an attempt to make this fail look better by comparison. Be specific.

If you think this disaster is going to make it easier to "get to single payer", you're dreaming.

This disaster? Just part of the process. Mandating coverage, limiting profits of health insurance companies, baby boomers aging onto Medicare at an increasing rate.

I'm 30, and I would bet large sums of money we'll have single payer by the time I'm 40.

Nice non-answer.

I would bet large sums of money that this disaster has killed single payer for at least a generation, if not longer.

(comment deleted)
I think the only good news about HealhCare.gov is going to come from The Onion at this point.
Heh, i also wouldn't be surprised for this site to be a high profile target... Any successful attack to it would completely embarrass the u.s. Which id imagine is up there on some peoples lists right now
Are there really any new revelations that could make us be more embarrassed about healthcare.gov?

Then again, I keep thinking that nothing the NSA does will surprise me anymore on a weekly basis, until another story like today happens.

Leaving the embarrassment aside, this thing has to be the Holy Grail for identity thieves.
everyone is probably using "health" for their password anyway, amiright?
Physical address of the organisation managing the site is amusingly "7500 Security Boulevard, Baltimore, MD 21244".
Not to diminish the researcher's work here, but even as bad as these security holes are, as reported, I'm mildly non-surprised...just because they've got to be much worse...the most visible parts of this system were cracking...it would be hard to believe that the unseen and often skipped-over parts of engineering would be more solid than what we've experienced, given the laughably short testing period.

This is going to set back electronic medical records for quite a long time. Don't forget the Obama admin put aside $20 billion dollars to fund that, and contractors have been eating up that money for a few years now.

Maybe HealthCare.gov is just a honey pot by design, except poorly cloaked?
Seriously I'm thinking that whoever developed HealthCare.gov did not know anything about web development. I knew that one doesn't simply add usernames passwords to URLs when I was f*cking 12 years old. I am even more surprised that no one ever audited their security and US citizens are not asking government what the heck the money is gone to. That's a reason that many government officials should immediately resign from their positions.
Somewhere in America, Harper Reed is breathing a massive sigh of relief.
Move fast and break things!
So if all 50 states created their own exchanges, healthcare.gov would have just been an info splash page?

I mean even DC created their own exchange, what was the excuse of the other 30+ states?

It was part of an organised plan to try and sabotage Obamacare, having lost the legislative battle and the Presidential election.
These Blue or Purple states are not doing one: New Hampshire, New Mexico for the moment for individuals, Utah permanently for individuals, Arkansas, Iowa, Michigan, Illinois.

Plus my Purple home state of Missouri isn't doing one based on a citizen initiative in 2012, where 62% of us voted to outlaw the creation of a state exchange unless authorized by the people or the legislature (http://ballotpedia.org/wiki/index.php/Missouri_Health_Care_E... ).

I also find it highly questionable to score elections like you have. Not only are you ignoring Scott Brown and 2010, but the one in 2012 was between Mr. Obamacare and Mr. Romneycare, the eGOP handed voters the single worst possible candidate to have a referendum on Obamacare about.

More generally, you should acknowledge this is the first ever major entitlement program that didn't pass on a widely popular bipartisan basis, from FDR's Social Security to Bush's Medicare Part D prescription one. It would be remarkable if that didn't have consequences we've never seen before.

Or more specifically, how did not building an exchange "sabotage" Healthcare.gov? Sounds like you're trying to magic a perceived by you sin of omission into a sin of commission.

Can't be a volume problem, seeing as how the site failed in integration testing a week before launch before achieving 200 simultaneous logins, and so much has to go through it for every exchange (remember when Verizon's goof shut them all down) and perhaps one day if they get around to it insurer (it's the only allowed source of subsidy calculations, which does make some sense).

Right, because the States are just vassals of the Federal government. They must meekly go along with poorly written and executed laws of the Feds.
I am going to make a stand for all the developers working furiously on this, although I don't know any of them. I blame it all on management, and they have the worst kind - politicians. I write this as I am certain it is very similar to what happened here in Brisbane Australia with the Queensland Health payroll system fiasco. Under severe pressure from politicians, they pushed out a system without thoroughly testing it first.

Edit: The Queensland health Payroll system was quoted at $6.19 million, latest revised cost is $1.2 billion.

I don't blame the devs either. I know they crap with which they must deal. It must be like the movie Office Space mixed with endless meetings, thousands of pages of specification docs with the agility of an 12th century stone wall.
I'm a dev up shitcreek with no paddle and also blame management ("here take a couple more projects. And support a couple more", while trying to rewrite a piece of sh*t that's already months behind).

It's almost always the go-to excuse though, I just don't know if it's the truth anymore. Of course we'd blame management. Depressing.

Darn you sound like you work with me. And I swear to almighty god it is never my fault. A bunch of idiots get together and promise that I will deliver this piece of software at this date, without inviting me along to the meeting. Then, they write the specs (shouldn't it be the other way round at this point?). In most cases, the specs are incomplete and they want me to start while they are still finalizing stuff. I go tell them about a roadblock, and that they should revise the deadline and they tell me I should go ask someone else how to do it as if I am incompetent. And they always think bringing in more developers would make things go faster. Damn I am beginning to lose my cool just writing this.
It amazes me how often the Mythical Man Month situation comes up in government IT. Sometimes people even KNOW that adding developers to a late project won't work but they have to be seen as 'taking action' so they do it anyway.
Maybe they should've ran the site through the 'meaningful use' certification process first...
Very funny.

I have a friend in this general field. Last time I checked, he told me those two words in the "Stimulus" bill expands in ~ 700 pages of regulations and it has made a bunch of consultants on it quite wealthy. Per Michelle Malkin, who lost her Primary Care Physician to this insanity, talking about another (http://michellemalkin.com/2013/10/23/dont-forget-obamacares-...):

"Dr. Michael Laidlaw of Rocklin, Calif., told EHR Practice Consultants that he abandoned the Obamacare EMR “incentive” program “when I realized that I spent the first two to five minutes of each visit endlessly clicking a bunch of garbage to make all the green lights show up on the (meaningful use) meter. I said to myself: ‘I’m not wasting precious seconds of my life and my patients’ time to ensure some database gets filled with data. I didn’t go into medicine for this. It is not benefiting my patients or me. I hate it.’ I actually refused to take the $10K-plus this year. I have even accepted that I would rather be penalized in the future. What is worth the most to me is AUTONOMY."

The later refers to the concept that this is firmly inserting the visible foot of government into the physician patient relationship.

Former federal IT security contractor here. There's nothing unusual about this event, except perhaps the fact that it's receiving national attention.

When I worked for the federal agency responsible for providing health care services to tribal entities, we would routinely accept and issue waivers for high-level risks discovered in RPMS (called VistA at the VA), the 30-year-old EHR application we used to store PHI and PII. Honestly, I don't know why we even bothered performing C&As and penetration tests -- everybody knew we weren't going to mitigate the vulnerabilities, even before we started testing for them.

It was an incredibly frustrating environment to work in. Federal law required us to test for vulnerabilities, but the director and CIO didn't give a shit about infosec and the CISO just kept issuing waivers for everything.

> the federal agency responsible for providing health care services to tribal entities

Wouldn't that be the IHS, which is underneath HHS? Suggesting a general disdain for security within the HHS?

Healthcare.gov is underneath CMS, not IHS, but I don't think it's unreasonable to conclude that the overarching body, HHS, has poor security practices.