Minnesota ObamaCare exchange breach exposes 2400 agents to identity theft
posted at 1:01 pm on September 14, 2013 by Ed Morrissey
Last month, the Minnesota version of ObamaCare attracted attention for spending $9 million on advertisements featuring a giant statue of Paul Bunyan doing Super Dave Osborne tricks to promote the state exchange. If that didn’t amuse many Minnesotans, no one was laughing yesterday after an employee at the exchange e-mailed out confidential information on 2,400 agents to an insurance broker — reminding everyone that data security in the ObamaCare exchanges isn’t exactly a top priority:
A MNsure employee accidentally sent an e-mail file to an Apple Valley insurance broker’s office on Thursday that contained Social Security numbers, names, business addresses and other identifying information on more than 2,400 insurance agents.
An official at MNsure, the state’s new online health insurance exchange, acknowledged it had mishandled private data. A MNsure security manager called the broker, Jim Koester, and walked him and his assistant through a process of deleting the file from their computer hard drives.
Koester said he willingly complied, but was unnerved.
“The more I thought about it, the more troubled I was,” he said. “What if this had fallen into the wrong hands? It’s scary. If this is happening now, how can clients of MNsure be confident their data is safe?”
Patrick Ouellette at Health IT Security, an industry-related website, notes that the Centers for Medicare and Medicaid Services (CMS) had just pronounced security at the exchanges as secure a few days earlier, and that consumers shouldn’t be worried about putting their confidential information into the system:
While the MNsure breach isn’t related to the federal hub’s technical security protections and may be a one-time incident, the incident certainly won’t build further confidence in the capabilities of online-based health insurance exchanges to protect patient data. Moreover, it was just this week that CMS definitely stated that the federal hub used to determine eligibility for federal subsidies is secure. Some republicans disagreed with that notion, arguing that the requisite testing time hadn’t been met to ensure proper security.
On a state level, such as in Minnesota, there are online-based health insurance exchanges detractors who are concerned with privacy as well. Private data such as Social Security numbers will be flowing from the state hubs to the federal Hub to determine which patients are eligible for government subsidies, so the Minnesota breach is clearly an issue that feeds the fire for ACA opponents’ arguments.
Steve Parente, a University of Minnesota finance professor who specializes in health IT issues and testified on Capitol Hill earlier this week, believes that the HIXes are being moved along too quickly. Digital data “is a convenient and simple convention to move things along,” Parente said, according to the Tribune. “But the downside is that it can have unintended consequences. It takes time to parse and curate and edit. You can’t do that if you’re in a rush.”
By the way, does anyone wonder why the agents had their Social Security numbers in the system? MNSure said it was to apply credit for navigator training, which is … a little strange. Why not use something a little less sensitive than a Social Security number — say, an agent license number or a phone number? Did anyone bother to ask why an SSN was necessary? Perhaps Minnesota — and other states — are in such a rush that these questions aren’t being asked, which is yet another reason to have less than full confidence in the security and operation of these systems.
That’s not the only problem in Minnesota with the exchanges, either. Critics took MNSure by surprise by attacking the exchange for its lack of diversity:
About a week ago, state officials were boasting that consumers shopping on MNsure’s website this fall would find the lowest health insurance premiums of any announced by various state health exchanges thus far.
But Tuesday, MNsure leaders were taken to task by DFL legislators for not awarding outreach grants to any African American community groups. The agency’s board of directors voted Wednesday to make up to $750,000 more available so more groups could have a chance at grants to support enrolling uninsured residents in health plans.
By Friday evening, DFL officials were trying to put the security breach in perspective by stressing it involved an accidental email from a MNsure worker — not a hacking of the MNsure website that would suggest a systemic threat.
But Republicans said the incident supports their concerns about data privacy at the health exchange.
“The data security breach … sent a very public message to Minnesotans that MNsure’s data security systems and/or protocols are not sufficiently able to protect their privacy,” GOP Sens. Sean Nienow of Cambridge and Michelle Benson of Ham Lake wrote in a letter to the chairmen of a legislative committee that oversees MNsure.
The DFL (Democratic Party in MN) will hold legislative hearings on the data breach on September 24th. That’s just seven days before Minnesotans without group insurance will be required to put their sensitive identity data into a system without much hope for security.