"From a security perspective, the aspects of the system that were not tested due to the ongoing development, exposed a level of uncertainty that can be deemed as high risk for FFM [Federally Facilitated Marketplace]," said the Sept. 27 memo.
The memo was issued by CMS IT officials James Kerr and Henry Chao, and signed by CMS Administrator Marilyn Tavenner.
The agency decided to go ahead with the Oct. 1 launch despite the risks, and it created a dedicated security team to monitor the risk. Tavenner said in a House Ways and Means hearing Tuesday that she believed the website was ready on Oct. 1, although she acknowledged there would be some glitches to work out.
At a House Energy and Commerce meeting Wednesday, Health and Human Services Secretary Kathleen Sebelius said temporary approval was given because there was a security risk "mitigation" plan.
The memo was provided in response to a request from the House Oversight Committee, CNN says. Committee Chairman Darrell Issa, R-Calif., has been launching an investigation into the launch of HealthCare.gov, and who in the administration knew of issues beforehand, and what is involved in the "tech surge" to fix the site.
Potential privacy and security issues have been a large talking point for Republicans against the online federal exchange.
"You accepted a risk on behalf of every person that used this computer that put their personal and financial information at risk because you did not even have the most basic 'end-to-end' test on security of this system," Rep. Mike Rogers, R-Mich., said to Sebelius. "Amazon would never do this. ProFlowers would never do this. Kayak would never do this."