Small Breach, Big Lesson in BackpackEmployee Causes Health Insurance Exchange Incident
There was plenty of debate in Congress and elsewhere over whether Obamacare's HealthCare.gov was adequately tested for security before it launched last fall - and whether health insurance applicants' electronic data was effectively safeguarded. But a recent breach at a state-run Obamacare health insurance exchange offers an important reminder that paper records need protection, too.
On June 6, Access Health CT, the health insurance exchange operated by Connecticut under the Affordable Care Act, revealed that a backpack containing four paper notepads with handwritten information on about 400 consumers was found in a deli not far from the exchange's Hartford call center. Access Health CT says the information written in the notepads included a combination of names, Social Security numbers and birthdates for approximately 400 individuals. In total there were fewer than 200 Social Security numbers contained on the pads.
The backpack was found by a staffer of a Republican state representative, who notified the exchange about the find, Access Health CT says.
After hearing about the discovery of the backpack on the local news that evening, the owner of the backpack came forward last weekend. That person was an employee of Access Health CT's call center vendor, Maximus. The employee had forgotten the backpack after eating at the deli after work.
Police, as well as the insurance exchange and Maximus, are investigating the incident. "As the investigation continues, this individual has been placed on administrative leave and has had all system access privileges revoked," an Access Health CT statement says. "While we are still working to understand exactly why this person took the information out of the building, based on what we have learned so far, it does not appear there was malfeasance on the part of this person."
The statement explains: "Notes of this kind, which were found on the paper notepads, are sometimes made by call center representatives to assist them during the course of servicing clients as they navigate various parts of the enrollment system. However, it is expressly prohibited for this information to leave the call center office in any way, shape or form."
Access Health CT is notifying individuals whose names were handwritten on the paper note pads to inform them of this potential breach. Affected consumers are being offered free credit monitoring, fraud resolution, identity theft insurance and security freezes of credit reports for two years.
This relatively small, low-tech breach at Connecticut's health insurance exchange comes in the midst of ongoing scrutiny over data security of consumer information flowing on the federal HealthCare.gov site, which runs the health insurance exchanges for 36 states.
Connecticut, which is one of the handful of states running its own exchanges, for the most part had a much smoother open enrollment period when it debuted last fall, escaping most of the technical headaches that states dependent on HealthCare.gov endured.
The Government Accountability Office recently confirmed it will conduct "complete and continuous end-to-end testing" of the security of the HealthCare.gov website and systems. The request for ramped up inspection of the site came to GAO in a recent letter from Rep. Lamar Smith, R-Texas, chairman of the House Committee on Space, Science and Technology.
In the meantime, HealthCare.gov is undergoing a revamp before the next open enrollment period begins in November. That work reportedly includes replacing the enterprise identity management system that consumers use to create electronic accounts on the site. The EIDM was the source of bottlenecks when the site launched last October, according to testimony during the Congressional committee hearings last fall.
The Department of Health and Human Services' Center for Medicare and Medicaid Services, which is responsible for HealthCare.gov, tells Information Security Media Group: "Working toward the next open enrollment period, we have performed a detailed examination of tasks that reflect feedback from stakeholders, taking a realistic look at what is needed to successfully launch year two in mid-November. Our goals are to strengthen the marketplace, maximize enrollment and improve system operations so that Americans will continue to have access to quality, affordable health care."
In reaction to the missing backpack incident at Access Health CT, Maximus, the call center vendor, says that it is taking steps to reinforce security and training policies and procedures "to help ensure that this does not happen again."
The company's standard risk management procedures already include conducting a full background check, including criminal background check, prior to employment "and comprehensive training on handling personal data, personally identifiable information and protected health information," Maximus says.
"The person involved in this incident had cleared all required background checks and training before beginning work in the Access Health CT Customer Contact Center," Maximus says in its statement. "The team member violated company policy, which strictly prohibits the removal of personal data, PII and PHI from our facilities, and he has been placed on administrative leave while the company continues its investigation."