Agency Discovers Vulnerabilities In IRS Obamacare Fee Calculator

The IRS (Internal Revenue Agency) has not completely secured its system that calculates fees for pharmaceutical firms and health insurers under Obamacare, according to a report by an inspector general.

Under the Affordable Care Act, the IRS is required to process sales information from drug manufacturers and premiums from health insurers for specific government-subsidized programs. The AIR system, or the ACA Information Returns System, is then responsible for calculating the annual fees to charge.

The system came under the fire of the Treasury Inspector General for Tax Administration (TIGTA). Its 44-page report concluded that the IRS failed to fix several security vulnerabilities or check the source code for bugs.

“These security control weaknesses could impact the AIR system’s ability to reliably process the electronic form reports and to accurately determine the applicable fees,” TIGTA Deputy IG for Audit Michael E. McKenney said in the report.

The IRS mostly nodded to the findings.

“Your team’s feedback was very timely,” was the response from the agency “Immediately upon receiving it, we inserted additional IRS oversight on this contractor-staffed team and completely re-executed a portion of our testing prior to system deployment.”

TIGTA pointed out 25 total “critical and major failures and errors.” The IRS has revealed details to address 23 of these vulnerabilities, the report added. It also pushed the agency to take swift action; 14 issues are not scheduled to be addressed before fall 2015.

“Our review found that some of these … weaknesses can be mitigated now,” stated the report.

Several experts have criticized the security of the technology powering the Obamacare site. The launch of was plagued with bugs, and many cybersecurity researchers later discovered several vulnerabilities on the website.

For instance, the Government Accountability Office noted a few months ago that the Centers for Medicare and Medicaid Services failed to consider software patches and didn’t properly configure an administrative network.

TIGTA didn’t disclose any more specifics about the weaknesses in the public version of the report. However, the watchdog agency made many recommendations to the chief technology officer at the IRS to address the issues. The recommendations were made with the aim that:

• The ACA plan of action addresses the vulnerabilities within the required time
• The IRS IT testing organization and implementation efficiently manages the tested processes launched by external contractors
• Vulnerabilities are promptly identified and resolved

IRS has agreed to most of these recommendations and plans to take corrective actions.