(Adds comments from contractors in paragraphs 4-6)
By Mark Hosenball
WASHINGTON Feb 4 (Reuters) - U.S. health officials have investigated whether some of the software used in computers at the heart of President Barack Obama’s healthcare reform was written in Belarus, but have found no evidence of that being the case, a White House official said on Tuesday.
A report of the probe, first published by the conservative Washington Free Beacon website late Monday, was seized on by Republicans who are campaigning to scuttle the reforms and say the website HealthCare.gov remains vulnerable to hackers four months after its botched roll-out on Oct. 1.
Caitlin Hayden, a spokeswoman for Obama’s National Security Council, said investigators for the Department of Health and Human Services had “found no indications that any software was developed in Belarus.”
The main contractor for the HealthCare.gov project, CGI Federal, said: “At no time during its work on HealthCare.gov did CGI subcontract any work to any entity or persons from Belarus, specifically from the high-technology park in Minsk.”
It added in a statement: “All of CGI’s work for HealthCare.gov was performed in the United States.”
QSSI, a unit of health insurer UnitedHealth Group which took over late last year to oversee repairs to the faulty website, declined to comment.
The site is the web portal to a 36-state federal health insurance marketplace which offers private insurance with federally subsidized rates for some consumers.
Hayden confirmed that a U.S. intelligence agency had recently issued, then retracted, a report related to possible involvement by a Belarus company in writing the software.
Intelligence officials said she was referring to a U.S. security agency’s report on an interview in which a Belarusian appeared to claim that elements of the Obamacare website had been written by his organization.
In the interview with Radio Russia dated June 25, 2013, Valery Tsepkalo, director of the government-backed High-Technology Park (HTP) in Minsk, said: “One of our clients is the health ministry of the United States - we are being paid to help Obama with the healthcare reform.”
However it was unclear from the interview exactly what work the company was doing and what U.S. entity it was working with.
“NO SECURITY ATTACKS”
The Centers for Medicaid and Medicare Services, a section of the HHS which oversees much of the healthcare reform law, issued a statement that did not directly address the possibility that HealthCare.gov software may have been written in Belarus.
“To date, there have been no successful security attacks on HealthCare.gov and no person or group has maliciously accessed personally identifiable information from the site,” the statement said.
It said the site complied with federal rules and that independent security contractors found no problems when they completed a “Security Control Assessment” in December.
David Kennedy, chief executive of the cybersecurity firm TrustedSecLLC, who has testified at Congressional hearings on the security of HealthCare.gov, said on Tuesday that engaging a company in a country closely allied with Russia would raise concern.
He said such a country may be pressured to build “back doors” in the infrastructure of a U.S. government site like HealthCare.gov, which could potentially give hackers linked to the Russian government a way to access U.S. government computer systems.
Obamacare, formally called the Affordable Care Act, was passed in 2010. Although many reforms are already in effect as part of the act, the biggest change, which is meant to extend medical insurance to millions of Americans, is being rolled out this year.
The Free Beacon website said U.S. intelligence officials had specifically warned that “programmers in Belarus, a former Soviet republic closely allied with Russia, were suspected of inserting malicious code that could be used for cyber attacks.”
The Free Beacon quoted one anonymous official alleging that, “The U.S. Affordable Care Act software was written in part in Belarus by software developers under state control, and that makes the software a potential target for cyber attacks.”
U.S. Director of National Intelligence James Clapper said he had no knowledge of the withdrawn intelligence report about Belarus when asked about it during a congressional hearing.
Clapper’s spokesman Shawn Turner said in an email that it was “an Open Source Center daily update that was recalled because it failed to meet internal requirements for classification review.”
A U.S. official said that intelligence officials had not wanted to circulate widely a summary based on uncorroborated media reporting which could cause serious concerns without being confident of its validity.
The report was marked, “Unclassified/For Official Use Only,” according to a separate U.S. official who saw it, who asked not to be named.
Reporting by Mark Hosenball, David Morgan and Roberta Rampton in Washington, Sharon Begley and Caroline Humer in New York, Jim Finkle in Boston and Douglas Busvine in Moscow; Writing by David Storey; Editing by Meredith Mazzilli and Andrew Hay