Last week, the Arizona Auditor General released a report in which it found that the Arizona Department of Economic Security’s IT system was anything but secure. The auditors found exactly what former DES director Tim Jeffries said they would find; a cobbled together system full of holes that invite cyber intrusion and misuse of confidential information.
In February, 2017, Jeffries was scheduled to address the Arizona Legislature regarding one of the main computer systems used by DES and the Arizona Health Care Cost Containment System (AHCCCS). Jeffries’ testimony before Rep. Bob Thorpe’s Federalism, Property Rights and Public Policy Committee was blocked by Speaker of the House J.D. Mesnard in order to avoid “embarrassing the governor.”
According to sources, Mesnard had caved to Governor Ducey despite the public’s right to know and the constitutional separation of powers.
Jeffries had planned to tell legislators that the HEAplus computer system used by DES and AHCCCS for Medicaid eligibility is a failed and unsustainable system. It was projected to cost $47 million in hard costs and involved two years of software development testing. As of early this year, the failed systems had already tallied over $142 million in hard costs.
This budget overrun does not include an estimated $100 million in state time investments by DES and AHCCCS personnel. Jeffries would have told legislators that the software development vendor should be terminated and investigated. Jeffries’ public statements would have mirrored his frank briefing and pointed recommendation to Governor Ducey and Henry Darwin, Ducey’s chief operations officer, on July 13, 2016 over 9 months ago.
A closer look
In response to the Auditor General’s report, the Arizona Republic published an article by Jerod MacDonald-Evoy, in which he suggests that Jeffries’ firing of employees may have been the source of the security failures.
MacDonald-Evoy’s baseless suggestion forced closer scrutiny of the circumstances surrounding DES IT due to the fact that during Jeffries’ tenure there were zero staff reductions in the DES IT Security Department. Jeffries possessed over 20 years of senior level high technology experience. Cyber security was one of his top priorities as underscored the by focus and investments made during his tenure.
As the reader can see from the timeline below, the very people who allowed the failed systems and lackluster cyber security to remain unchecked for years are now the ones back in charge of it.
DES IT Leadership timeline:
● On April 18, 2017, the Arizona Auditor General releases a performance audit conducted on DES IT security.
● In April 2017, Michael Dellner resigns from DCS as Deputy Director of Operations. Prior to DCS, Dellner was hired by Jim Hillyard to serve as the CIO of DES IT.
● In December 2016 and January 2017, Ducey names Henry Darwin Interim Director of DES, and Darwin promptly reinstates Jim Hillyard as Deputy Director of Operations at DES based on their longstanding friendship in spite of numerous DES operational failures under Hillyard’s reign.
● In December 2016, several DES staff witnessed and reported that Henry Darwin worked closely with Arizona Republic reporters on a number of occasions to promote the Governor’s revisionist history of Jeffries’ consequential tenure as DES Director.
● In November 2016, Jeffries is fired by Ducey after bringing attention to the DES IT issues as previously noted and reducing the size of the agency as directed by Ducey.
● In October 2016, an Enterprise License Agreement with Salesforce is entered into for a very low price negotiated by Morgan Reed, the State CIO, due to the fact that DES had secured nation-leading low price points by Jeffries. The license for Trailhead, which is normally extremely expensive, was given to the DES for free. Morgan Reed, the State’s CIO, is aware and involved with the transaction.
● Remarkably, the DES mainframe developers were the employees who took advantage of the training provided by Trailhead. According to sources, those employees, who were still working with COBOL, a 40 year old computing programming code, were eager to learn how to program for the modern age.
● In September 2016, DES IT staff with Jeffries full support selected Salesforce as the cloud environment to radically transform DES computing systems. Staff works to take the system to the cloud, which FedRamp Compliant and is utilized federal organizations such as the CIA and FBI. At the time, the State was paying IBM millions of dollars a year to store data. Service providers express displeasure that the State might move to end their services. The State continues to pay exorbitant costs for services.
● In August 2016, Stephen Welsh, DES CIO, and Todd Bright, Deputy Director of Operations, are exited from DES. The two ignored concerns brought to them by Jeffries’ staff regarding the failing IT.
● In July 2016, new DES IT leadership brings in AGILE programming methodology. The system works in two week blocks (sprint), where flaws can be discovered quickly and repairs are made before code becomes too big to fix.
● In July 2016, new DES IT leadership staff discover that the State’s failing HEAplus software system wastes approximately $30 million a year not including $100 million in hard cost overruns and approximately $100 million in additional State general fund expenditures in State employee time and wast.
● In June 2015, DCS Director Greg McKay hires Michael Dellner as his Deputy Director of Operations at DCS. Todd Bright recommends Stephen Welsh as Dellner’s replacement. Previously, Welsh had served as the Chief Information Officer at the Arizona Department of Corrections.
● In June 2015, Jim Hillyard, the DES Deputy Director of Operations and former Interim Director of DES appointed by Governor Ducey, resigns from DES as revelations unfold about 66 full pallets of Cisco switches that must be scrapped that were unnecessarily and suspiciously purchased at the very end of a prior State government fiscal year.
● Between February and June 2015, Michael Dellner, serving as CIO of DES IT, brings concerns about unusual purchases under Hillyard to the Arizona Attorney General’s office. Dellner’s concerns are ignored then, and ignored again when raised by the DES Inspector General’s Office with Jeffries’ full support.
● In February 2015, Ducey appoints Tim Jeffries as director of DES with the specific charge to fix the social services agency that mOst people felt was irreparable.
● In January 2015, Governor Doug Ducey appointed Jim Hillyard as acting Director of the Arizona Department of Economic Security (DES). He replaced outgoing Director Clarence Carter, who resigned under pressure from Governor Ducey.
● From July 2012 to July 2015, Michael Dellner served as DES Chief Information Officer (CIO).
● From 2011 – 2015, Jim Hillyard serves as DES Deputy Director for Operations responsible for the Department’s financial, technical, administrative and business support functions.
Closing the gap
The employees running the IT systems were a combination of contract employees and State employees. These individuals migrated in and out, developing software systems that DES was stuck with, because they developed the systems, they were the only ones with knowledge of how they worked.
They went from State employees to contractors, which enabled them to make much more money. Allegedly information was gathered that would have shown these same individuals cut deals and essentially took advantage of the State based on their knowledge.
They are the same employees that Director Jeffries dismissed. So, contrary to MacDonald-Evoy implication, the exit of these employees actually closed the gap on the security breakdowns.
Related articles:
Ducey Admin Delays Delivery Of DPS DES Report
Ducey Shuts Down Testimony By Jeffries, Loftus On DES Debacle
Failures Of AZDES System HEA Plus Leads To $142 Million Wasted Taxpayer Funds