Audit of the Connecticut Health Insurance Exchange Reveals 44 Unreported Data Breaches

An audit of Health Insurance Exchange of Connecticut, Access Health CT, by the state auditor indicated that Access Health CT experienced 44 data breaches in the period of 3.5 years and did not completely report them and that it didn’t take adequate steps to protect sensitive records.

The Connecticut Health Insurance Exchange works as a medical insurance marketplace to minimize the number of state citizens who do not possess health insurance and to assist in low-income people applying for Medicaid coverage, as demanded under The Affordable Care Act.

Although Access Health had filed the data breach reports to the Department of Health and Human Services, according to the HIPAA rule, and informed the state attorney general, the breaches weren’t reported to the state auditor and comptroller. The state legislation mandates the Connecticut Health Insurance Exchange to inform the Auditors of Public Accounts and the State Comptroller immediately whenever a security breach is uncovered.

Most data breaches were minor incidents, with the majority of the breaches (34) relating to Faneuil Inc, a contractor based in Hampton, VA, which runs the Access Health CT customer support. The majority of those breaches affected one person’s information or the data of persons in the same home and were largely admin errors and password reset errors.

The 34 data breaches impacted some 49 different people. The other 10 data breaches were spread among 5 varied contractors. The biggest breach was because of a phishing attack, whereby the data of 1,100 persons was likely compromised.

Apart from the inability to report the breaches, the auditors came to the conclusion that Access Health did not take enough steps to make certain the security, confidentiality, and integrity, of client information, particularly taking into account 34 data breaches had happened at just one contractor. There are prerequisites to employ controls to protect the confidentiality, integrity, and security of sensitive information in state and federal rules.

The auditors stated there were discovered internal control inadequacies, cases of non-compliance with rules, regulations, and guidelines, and a necessity for enhancement in practices and procedures that require the consideration of management. The auditors furthermore established that the procurement guidelines for suppliers were missing the specific requirements to find out the proper reasons for awarding sole-source agreements.

Access Health CT stated the breaches were reported however were not sent to the state auditor and comptroller as it did not know about the breach reporting demands in the state. Access Health CT agreed with the suggestions made in the report and stated third-party sellers are supporting the setup of a new risk management system, which will offer extensive visibility and monitoring of compliance with the information security prerequisites of state and federal regulations. Access Health CT mentioned it is likewise fortifying its internal purchasing policies and procedures and will be changing its contract procurement scheme.