Exchange Breach Triggers State Review

Minnesota Investigating Health Insurance Exchange Incident
Exchange Breach Triggers State Review

About two weeks before health insurance exchanges open for business under healthcare reform, an exchange in Minnesota already is reporting a data breach.

See Also: Hunt Cloud Threats or Be Hunted | CISO Guide to Cloud Compromise Assessments

Minnesota state auditors are reviewing data security practices at the state's MNsure health insurance exchange following the breach involving an MNsure worker who inadvertently disclosed personal information on 2,400 brokers and agents in an unencrypted attachment e-mailed to two unauthorized individuals. The recipients of the e-mail were a private insurance broker and agent working together in the same office.

The exchange says that on Sept. 12, it "became aware that a MNsure employee inadvertently sent a document containing the private information of 2,400 agents and brokers who are applying for certification with MNsure to two individuals who work together in one office," according to a statement from MNsure to Information Security Media Group. The private information in the document included names, addresses and Social Security numbers. "The collection of Social Security numbers is standard practice in order to enable the recording of continuing education credits," MNsure explains in the statement.

Policy Violation

"MNsure takes this incident extremely seriously. While it appears that this incident was accidental, MNsure will conduct a thorough investigation to fully understand the nature of the incident," the statement adds. "MNsure has a data privacy policy in place, and this employee's action was a violation of this policy. MNsure is evaluating whether any additional policies and procedures can be implemented to prevent such incidents in the future."

Upon learning of this incident, the statement says, MNsure contacted the individuals who received the private information and they deleted it. MNsure also took immediate steps to notify all agents/brokers whose information was accidentally shared.

Meanwhile, state auditors are investigating the incident, says Jim Nobles, legislative auditor for the State of Minnesota. "Frankly, I didn't expect to be conducting a review so soon," he says, considering MNsure, like all other state health insurance exchanges, doesn't officially open for business until Oct. 1, which is when open enrollment begins. His office generally gives new programs about a year to get going before being faced with audits or investigations.

"We knew we needed to give this incident attention because data security is so important" to the new state health insurance exchanges, Nobles says. While his office plans to investigate primarily the breach incident and not conduct an overall compliance review of the exchange's IT, "I will venture into the controls a bit that should be in place to prevent this kind of incident," he says.

State health insurance exchanges, called for under federal healthcare reform, are online marketplaces where consumers and small businesses can shop for and enroll in health plans. States were each allowed to choose whether they wanted to operate their own exchanges, run one in partnership with the federal government or have the federal government operate one for them. MNsure is being operated by the state of Minnesota.

Preventive Measures Needed

"From what I know so far this is an isolated event, which happened by mistake," Nobles says. "But all organizations should have the mechanics in place to prevent this kind of thing from happening," he says.

Some of the factors that Nobles' office will review is why the e-mail attachment was sent, why the data was not encrypted, and whether there were any safeguards in place that could have stopped the data from being transmitted. For instance, if data loss prevention technology isn't being used by MNsure, Nobles' office will investigate why, he says.

"We'll go through every detail of what happened," he says. The investigation will likely take about two weeks.

Nobles says his office will also look into the data source of brokers' personal information in the e-mail attachment. "Where does that data reside, and how is it protected? Is it encrypted, and if so, what kind of encryption?"

Broader Issues

Nobles says the incident shines a spotlight on the issue of government workers who have access to personal and sensitive information as part of their job.

"There is a growing concern about the volume of personal information that public employees have access to, and the possible misuse of that information, or even privacy violations due to curiosity," he says. "Before the concern was external hackers, but the focus is shifting to internal public employees" as potential security and privacy threats.

"One reason I jumped on the MNsure incident was to send a strong message to other organizations and public employees."

Christopher Rasmussen, a policy analyst at the Center for Democracy & Technology, a consumer advocacy organization, says the MNsure incident could offer an important lesson for other health insurance exchanges.

"The lesson here for all other exchanges is train your staff," he says. "I don't know what the specific training standards are in Minnesota. And I realize that mistakes happen and sometimes no matter how much training you do and no matter the quality of the training, breaches are going to happen."

Although this breach disclosed Social Security numbers of brokers and agents, Rasmussen says, "a similar breach of applicant SSNs could be a terrible black-eye for enrollment."

Rasmussen acknowledges, however, that "all the training in the world will not prevent accidents from happening or the actions of a malicious individual."

In another recent health insurance exchange security development, the U.S. Department of Health and Human Services last week disclosed that a federal data hub that will serve as a critical conduit for data needed by the state insurance exchanges has completed security testing and is certified to operate when the exchanges begin open enrollment on Oct. 1 (see Federal Data Hub Passes Security Testing).

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.