Auditor Analyzes Minn. Exchange BreachUrges Other Exchanges to Ramp Up Security
The report, issued by Minnesota's legislative auditor Jim Nobles, cites several mistakes and poor decisions that the state exchange, MNsure, made that contributed to an unauthorized data disclosure about insurance brokers on Sept. 12. The incident, which occurred before the state health insurance exchange launched for open enrollment under the Affordable Care Act on Oct. 1, did not involve consumer data.
Nobles tells Information Security Media Group that he believes all health insurance exchange operations, whether they're run independently by a state, as is the case in Minnesota, or run in partnership with the federal government, need to be more mindful of how they protect all data, including information about brokers as well as consumers.
"There's so much anxiety among citizens around the state and federal exchanges, and worry about their data being compromised, it's important these environments secure all data," he says.
During recent Congressional hearings with Obama administration officials about the technical woes of the federal website Healthcare.gov, used for insurance enrollment under Obamacare, questions were raised about whether the site and its systems had adequate security testing to prevent breaches before open enrollment launched on Oct. 1 (see: HealthCare.gov: Rebuilding Trust).
MNsure Breach Details
In the September incident at MNsure, a worker mistakenly attached a document containing private information on 2,400 brokers and agents to an unencrypted e-mail sent to two individuals who were not authorized to view the information. The recipients of the e-mail were a private insurance broker and agent working together in the same office (see: Exchange Breach Triggers State Review).
The MNsure worker who made the mistake was later terminated by the exchange.
The private data in the attachment included Social Security numbers that had been gathered by MNsure from insurance brokers seeking certification to use exchange's website to sell insurance products.
The auditor's investigation confirms that the disclosure of the private information by the MNsure employee was unintentional with no malicious intent, and that the exchange responded appropriately by reporting the breach.
The report, however, notes: "In developing a certification process for insurance brokers, MNsure officials made decisions that contributed directly to the disclosure of private data."
For instance, MNsure should not have collected brokers' Social Security numbers because they were not needed for the exchange to carry out its responsibilities, the report notes.
Also, MNsure used e-mail to collect the personal data from insurance brokers "without fully assessing and mitigating the risks involved, and without considering a more secure and efficient alternative," according to the report.
The investigation also found that although MNsure uses an e-mail system that automatically encrypts e-mails while in transit from one state agency to another, e-mail sent to individuals outside state government is not secure unless the sender manually triggers encryption.
"The training MNsure required its employees to complete included information about how to encrypt e-mails and attachments. However, in using the state e-mail system to obtain private data from brokers, MNsure did not use the encryption option," the report notes.
Additionally, the private broker data residing on the internal MNSure computer network was not adequately secured by encryption, according to the report. Also the broker data roster was accessible to all MNsure staff - which includes approximately 70 people - regardless of whether their job duties required access.
Other mistakes contributing to the incident, according to the report, included MNsure having assigned too few staff to develop the broker certification process and not effectively organizing the data collected from the brokers.
The report also notes that MNsure relied on data security and privacy training that may have been inadequate.
"MNsure provided employees with a basic introductory overview of data privacy policies and data protection procedures," the report says. "However, the general nature of the training, the test questions, the score required to 'pass,' and the limited ability of supervisors to follow up on areas of concern may not have ensured that employees adequately understood how to protect not public data," the report states.
The report also notes, "When we asked the manager of MNsure's broker team whether team members received additional training and direction on using the [e-mail] encryption option, he said, 'Not until after the incident.'"
In a response letter included in the report, MNsure Executive Director April Todd-Malmlov says the exchange "generally believes the report is accurate and agrees with its findings." The letter also notes that following the breach, MNsure took immediate steps to ensure that the recipient of the disclosed data deleted the data file.
MNsure has taken additional steps, including a review to ensure MNsure's security and privacy policies are being followed, and has conducted "in-person" data security and privacy training with staff, the letter states. The exchange has also engaged a consulting firm to perform a root cause analysis of factors leading to the unauthorized disclosure. That results of that analysis will be available in December, Todd-Malmlov says in the letter.
Nobles tells Information Security Media Group that he was disappointed that the response letter from MNsure didn't "publicly accept responsibility" for the incident and confirm that it was revising its policies in using e-mail to send sensitive information.
In an e-mail statement to ISMG, MNsure says: "The incident in question - which occurred before the online launch of MNsure - was due to human error and was in no way related to the MNsure IT system, which enrolls individuals and small businesses in health insurance. As is indicated in the report, MNsure responded quickly and appropriately to the incident. ... MNsure appreciates and values the thorough examination of this incident and is committed to taking measures to ensure one like it does not occur in the future."
A MNsure spokeswoman says the exchange is no longer collecting brokers' Social Security numbers and notes that there have been no other privacy or security breaches since the September incident.