Health insurance

State-run health insurance exchange failed to prevent data breaches of CT residents, audit finds

The health exchange that makes it easier for Connecticut residents to purchase Obamacare plans should do more to protect its customers’ personal data, according to a recent state audit, and also failed to report dozens of data breaches. security to state authorities.

Personal information was lost in 44 breaches at Access Health CT between July 2017 and March 2021, including a phishing scam that affected 1,100 people, according to the public accounts auditors’ early March report. But these failures were not reported to the auditor or the state comptroller’s office, which is required by law, according to the audit.

State Auditor John Geragosian said his office reviewed Access Health CT’s information security policies and found that they needed improvement.

“Internal controls were not sufficient to prevent customer data breaches,” he said in a statement.

The bureau recommended that Access Health CT strengthen its security practices and noted in the audit report that “the exchange did not take sufficient steps to ensure the confidentiality, integrity, and security of data from clients”.

Meanwhile, the exchange reported experiencing the most breaches of any organization, private or public, in Connecticut in recent years, according to a review of data from the state’s attorney general’s office shared with Hearst. ConnecticutMedia.

Of 44 data breach auditors found — who were reported to the Attorney General as required but not to other state authorities — Access Health CT’s call center provider, Faneuil Inc., was responsible for 34 cases. . The organization, also called the Connecticut Health Insurance Exchange, is privately owned but is regulated by a state-appointed board; it receives no direct funding from the state.

Faneuil continues to operate Access Health CT’s call center. And three other breaches involving the call center provider have been reported so far this year.

Faneuil declined to comment on the breaches and audit findings, directing all questions to Access Health CT.

In a statement, Kathleen Tallarita, spokesperson for the agency, explained that most of the violations in question are minor, affecting one consumer at a time.

Access Health CT has also hired an external cybersecurity firm, Stamford-based JANUS Associates, to help build a stronger information security framework, Tallarita said. She added that any supplier responsible for a breach is required to pay for the security monitoring of the affected customer, including Faneuil.

“The exchange monitors vendor compliance with security requirements and has implemented additional protocols to improve security practices at Faneuil and to monitor their compliance,” she said.

In total, Access Health CT reported about 110 breaches between 2013 and 2020, more than any other organization inside or outside Connecticut, according to data from the attorney general’s office. It is unclear from the data whether an employee of Access Health CT or one of its suppliers was involved in each of the failures.

Access Health CT’s call center has had repeated problems accidentally linking the wrong personal information to other people’s online accounts, according to reports Access Health CT filed with regulators revealing the loss of information on customers.

The reports, which do not indicate any malicious intent in the loss of private data, detail how call center representatives mistakenly gave access to personal information to different customers by adding people to the wrong accounts.

In a recent breach reported on Jan. 28, for example, the error was discovered when a customer called the center to let them know she could see someone else’s private data.

Faneuil was awarded her contract to manage Access Health CT’s customer support in 2016. The contract was renewed in 2019 and again in August, according to the organization’s financials.

Although Access Health CT said most of the breaches it reports involve only one person, the health insurance exchange has also not been immune to outside attacks that expose information from more people. Geragosian said a phishing scam involving an Access Health CT employee in October 2019 also went unreported to the auditor’s and comptroller’s offices. Faneuil also suffered a ransomware attack in August 2021, according to documents shared by the auditor’s office.

Access Health CT handled about 573,000 inquiries from state residents in 2021, including through its call center, according to the organization’s latest annual report.

The effects of the pandemic – including rising jobless numbers and new financial relief from assistance programs – have caused more people to seek plans under the Affordable Care Act and to use healthcare services. ‘Access Health CT. By the end of 2021, enrollment had increased by 7%.