Minnesota ObamaCare exchange breach exposes 2400 agents to identity theft

posted at 1:01 pm on September 14, 2013 by Ed Morrissey

Last month, the Minnesota version of ObamaCare attracted attention for spending $9 million on advertisements featuring a giant statue of Paul Bunyan doing Super Dave Osborne tricks to promote the state exchange.  If that didn’t amuse many Minnesotans, no one was laughing yesterday after an employee at the exchange e-mailed out confidential information on 2,400 agents to an insurance broker — reminding everyone that data security in the ObamaCare exchanges isn’t exactly a top priority:

A MNsure employee accidentally sent an e-mail file to an Apple Valley insurance broker’s office on Thursday that contained Social Security numbers, names, business addresses and other identifying information on more than 2,400 insurance agents.

An official at MNsure, the state’s new online health insurance exchange, acknowledged it had mishandled private data. A MNsure security manager called the broker, Jim Koester, and walked him and his assistant through a process of deleting the file from their computer hard drives.

Koester said he willingly complied, but was unnerved.

“The more I thought about it, the more troubled I was,” he said. “What if this had fallen into the wrong hands? It’s scary. If this is happening now, how can clients of MNsure be confident their data is safe?”

Patrick Ouellette at Health IT Security, an industry-related website, notes that the Centers for Medicare and Medicaid Services (CMS) had just pronounced security at the exchanges as secure a few days earlier, and that consumers shouldn’t be worried about putting their confidential information into the system:

While the MNsure breach isn’t related to the federal hub’s technical security protections and may be a one-time incident, the incident certainly won’t build further confidence in the capabilities of online-based health insurance exchanges to protect patient data. Moreover, it was just this week that CMS definitely stated that the federal hub used to determine eligibility for federal subsidies is secure. Some republicans disagreed with that notion, arguing that the requisite testing time hadn’t been met to ensure proper security.

On a state level, such as in Minnesota, there are online-based health insurance exchanges detractors who are concerned with privacy as well. Private data such as Social Security numbers will be flowing from the state hubs to the federal Hub to determine which patients are eligible for government subsidies, so the Minnesota breach is clearly an issue that feeds the fire for ACA opponents’ arguments.

Steve Parente, a University of Minnesota finance professor who specializes in health IT issues and testified on Capitol Hill earlier this week, believes that the HIXes are being moved along too quickly. Digital data “is a convenient and simple convention to move things along,” Parente said, according to the Tribune. “But the downside is that it can have unintended consequences. It takes time to parse and curate and edit. You can’t do that if you’re in a rush.”

By the way, does anyone wonder why the agents had their Social Security numbers in the system? MNSure said it was to apply credit for navigator training, which is … a little strange.  Why not use something a little less sensitive than a Social Security number — say, an agent license number or a phone number?  Did anyone bother to ask why an SSN was necessary?  Perhaps Minnesota — and other states — are in such a rush that these questions aren’t being asked, which is yet another reason to have less than full confidence in the security and operation of these systems.

That’s not the only problem in Minnesota with the exchanges, either.  Critics took MNSure by surprise by attacking the exchange for its lack of diversity:

About a week ago, state officials were boasting that consumers shopping on MNsure’s website this fall would find the lowest health insurance premiums of any announced by various state health exchanges thus far.

But Tuesday, MNsure leaders were taken to task by DFL legislators for not awarding outreach grants to any African American community groups. The agency’s board of directors voted Wednesday to make up to $750,000 more available so more groups could have a chance at grants to support enrolling uninsured residents in health plans.

By Friday evening, DFL officials were trying to put the security breach in perspective by stressing it involved an accidental email from a MNsure worker — not a hacking of the MNsure website that would suggest a systemic threat.

But Republicans said the incident supports their concerns about data privacy at the health exchange.

“The data security breach … sent a very public message to Minnesotans that MNsure’s data security systems and/or protocols are not sufficiently able to protect their privacy,” GOP Sens. Sean Nienow of Cambridge and Michelle Benson of Ham Lake wrote in a letter to the chairmen of a legislative committee that oversees MNsure.

The DFL (Democratic Party in MN) will hold legislative hearings on the data breach on September 24th. That’s just seven days before Minnesotans without group insurance will be required to put their sensitive identity data into a system without much hope for security.


Related Posts:

Breaking on Hot Air

Blowback

Note from Hot Air management: This section is for comments from Hot Air's community of registered readers. Please don't assume that Hot Air management agrees with or otherwise endorses any particular comment just because we let it stand. A reminder: Anyone who fails to comply with our terms of use may lose their posting privilege.

Trackbacks/Pings

Trackback URL

Comments

That’s a Paul Bunyan sized exposure.

Kafir on September 14, 2013 at 1:09 PM

Sweet.

Pork-Chop on September 14, 2013 at 1:09 PM

The DFL (Democratic Party in MN) will hold legislative hearings on the data breach

…hearings!

KOOLAID2 on September 14, 2013 at 1:15 PM

Anyone dumb enough to participate in this train wreck deserves what happens to them.

I don’t have health insurance. I’ll pay my penalty next year and keep leaning on Republicans to do the right thing and kill it.

beatcanvas on September 14, 2013 at 1:21 PM

“What if this had fallen into the wrong hands?”

Which part of “MNsure employee” do you not understand?

redzap on September 14, 2013 at 1:21 PM

Be very aware of this.

It doesn’t even contain the gun questions, to which you should always answer “NO”, no matter what.

Pay cash or see doctors outside of the chain…pay cash or barter.

Schadenfreude on September 14, 2013 at 1:21 PM

And now we learn today that HHS would like to add our social and behavioral information to the hub…so yes whatever naughtiness you did in 5th grade WILL go on your permanent record not to mention records and transcripts of your counseling sessions should you seek such help. Just some fun reading for government bureaucrats during the slow times….

Caseoftheblues on September 14, 2013 at 1:23 PM

Just remember, (as it states on your SS card) NOT TO BE USED FOR PURPOSES OF IDENTIFICATION.

GarandFan on September 14, 2013 at 1:25 PM

It doesn’t even contain the gun questions, to which you should always answer “NO”, no matter what.

Pay cash or see doctors outside of the chain…pay cash or barter.

Schadenfreude

Problem: if the questionnaire is a legal form that requires honest answers under penalty of law, you may be opening yourself to fines or jail time if they find out differing info.

Cash boutique care providers looks like the only way.

chimney sweep on September 14, 2013 at 1:33 PM

I was required to put all my data online in order to receive discounts on my health insurance premiums through my employer. THEN I was required, in order to continue receiving the discounts, to go get a biometric screening and all THAT information is now online. My boss refused to do it, but he doesn’t care about the discount. It’s kind of like extortion.

scalleywag on September 14, 2013 at 1:58 PM

Ed, you know the answers to your own questions. This is sheer stupidity — and you can bet that the internal databases in the Exchange in Minnesota mirror this identical stupidity.

unclesmrgol on September 14, 2013 at 1:58 PM

Cash boutique care providers looks like the only way.

chimney sweep on September 14, 2013 at 1:33 PM

Fine. Just don’t say “This is an unconstitutional or wrong question”. They mark that as “belligerent” or some such, tip of the IRS audits and such…

Cash or barter, or nothing.

Better dead than red.

Schadenfreude on September 14, 2013 at 2:07 PM

Cash boutique care providers looks like the only way.

chimney sweep on September 14, 2013 at 1:33 PM

Next up? Providers will be forbidden to accept cash.

scalleywag on September 14, 2013 at 2:07 PM

Well, it is only fair that it exposes 2400 agents to identity theft……. Because the whole system is going to expose 10,000 times as many people… (All you peasants) to identity theft, discrimination and perhaps even blackmail.

Me? I’ve ‘opted out’. Ain’t playing the game at all.

The funny thing is, when they put me in prison for not having insurance, and not paying their damn ‘tax’ (Thanks Benedict Roberts), then THEY (in other words, you honest taxpayers)will have to provide not only my healthcare, but my food, shelter and clothing.

Unless of course they just shoot me. Y’all will never notice your share of the cost of the bullet.

LegendHasIt on September 14, 2013 at 2:08 PM

Coming soon: Democratic campaign volunteers threatening to expose your medical shortcomings if you don’t vote for Killary.

John the Libertarian on September 14, 2013 at 2:09 PM

Next up? Providers will be forbidden to accept cash.

scalleywag on September 14, 2013 at 2:07 PM

:) Funny…there are doctors who’re still free.

Schadenfreude on September 14, 2013 at 2:10 PM

Unless of course they just shoot me. Y’all will never notice your share of the cost of the bullet.

LegendHasIt on September 14, 2013 at 2:08 PM

I repeat, better dead than red.

Schadenfreude on September 14, 2013 at 2:11 PM

Si, se Putin – h/t TXUS in last night’s QotD

Putin mocked 3 things in the brilliant NYT op-ed:

1. Leftist propaganda – he threw it back at all the leftists: UN, no war without world support, the US is not exceptional, make peace not war, etc.

2. obama – no words necessary – Putin knows all about obmama and told him so at the G20 (Snowden)

3. The USA’s demagoguery about freedom, exceptionalism, liberty…they are dwindling…killed by leftists…who preach it…

I have a question – how many leftists have gone to Saudi Arabia without a burqua? GB removed the burqua restrictions on campus yesterday…PC will kill all. I hope it will cut the leftards’ heads off first.

Schadenfreude on September 14, 2013 at 2:17 PM

DFL: Give us money from the Obama stash!

PattyJ on September 14, 2013 at 2:18 PM

Government agencies or government-protected agencies will always be sloppy with data. If Bank of America has a breach they risk their own name, their brand and customers. The government doesn’t really care.They don’t like bad publicity, but it’s more of an inconvenience than anything.

BofA can fail, the government can’t.

The incentives are very different.

mankai on September 14, 2013 at 2:35 PM

All part of the plan to liquidate the savings of Americans who are savers.

That great sucking sound? American’s wealth going to the post-national oligarchs.

Murphy9 on September 14, 2013 at 3:19 PM

A not-at-all-subtle reminder that in PlaceboCare, private insurance agents are not necessary.

Steve Eggleston on September 14, 2013 at 3:53 PM

Next up? Providers will be forbidden to accept cash.

scalleywag on September 14, 2013 at 2:07 PM

Just like Canada.

Steve Eggleston on September 14, 2013 at 3:54 PM

Who do I call about getting stimulus funding for a wall between Minnesota and Wisconsin? The gopher state seems to get stranger and stranger every day (to the point where I think the Vikings are going to have to change their name). We have our own problems here but still manage to maintain a little balance. Minnesota seems to have gone past the point of no return.

teejk on September 14, 2013 at 3:58 PM

And this is just the beginning. Obamacare will have us all become identity theft victims.

sadatoni on September 14, 2013 at 4:26 PM

And this is just the beginning. Obamacare will have us all become identity theft victims.

sadatoni on September 14, 2013 at 4:26 PM

The law that nobody bothered to read and nobody understands yet has a few “minor bugs” in it. Russian/Chinese hackers are salivating. I still believe it was meant to be a mere stepping stone towards the ultimate goal of “single payor”. The left has been crying for it for years (Tammy Baldwin from Wis is on record) so we could be like Norway and the other socialists that they emulate…forget that the countries they emulate are starting to figure out that it is indeed a ponzi scheme and it can’t work with declining birth rates. Liberals have tunnel vision…they can’t see that raising taxes reduces the number of children a family can afford when put together with higher energy and food prices and all the other parts of their agenda. They aren’t very good at math or logic.

teejk on September 14, 2013 at 4:56 PM

A MNsure security manager called the broker, Jim Koester, and walked him and his assistant through a process of deleting the file from their computer hard drives.

Koester said he willingly complied, but was unnerved.

Yeah…riiight…he deleted it. WANNA BET?

timberline on September 14, 2013 at 5:17 PM

Living in Minnesota, I always thought that people more bright. After being here for a number of years and witnessing how they vote, I would no longer even consider using the word bright in the same sentence with Minnesota voter.

crosshugger on September 14, 2013 at 5:31 PM

crosshugger on September 14, 2013 at 5:31 PM

I’m only an hour from your border…Minnesota politics are a head-scratcher for me (e.g. ads now playing here inviting same sex partners to get married and honeymoon there…I would move if I were you). Barring that can we trade Madison for something in the Mesabi range??? Somehow I think they can’t be too happy with what is happening.

teejk on September 14, 2013 at 6:53 PM

There are too many ‘accidents’ followed by faux apologies.

dylan on September 14, 2013 at 7:41 PM

LOLZ…I used to work for a network security firm…and you can believe me, NOTHING on the Internet is totally secure. Linux servers are more secure than most, but anything else (and I’m sure you know which software giant I refer to)…not so much.

(CMS) had just pronounced security at the exchanges as secure a few days earlier,

Uh-huh…wait and see.

sage0925 on September 14, 2013 at 9:17 PM