By Tom Steward │Watchdog Minnesota Bureau
ST.PAUL — Maybe someone should think about re-branding the MNsure online health-care exchange MN-UNsure, given the embarrassing blunders revealed in the rush to implement the Affordable Care Act and provide medical coverage for Minnesotans.
Besides awarding controversial navigator outreach grants to Planned Parenthood—Minnesota, North Dakota, South Dakota and a businessman with a record of a traffic incident involving a gun, MNsure came under fire in a legislative hearing this week for failing to award grants to African-Americans, who make up a disproportionate number of uninsured Minnesotans.
Even MNsure’s high-profile mascot, Paul Bunyan and Babe the Blue Ox, haven’t escaped criticism.
Launched with $110 million in federal funding for outreach, call center and online marketplace, MNsure’s PR machine boasts about “collaborating with community partners and insurance agents/brokers to create a customer service network.”
Now, it turns out, the state’s customer-service network was compromised before even going online in October, due to a security breach involving the Social Security numbers and other private data for 2,400 insurance brokers, first reported by the Star Tribune.
State health exchange officials confirmed a MNsure employee Sept. 12 mistakenly hit the send button on an email to a suburban Twin Cities insurance agent signing up to become a “navigator” to help enroll potential clients for coverage.
“The collection of social security numbers is standard practice in order to enable the recording of continuing education (CE) credits,” MNsure said in a statement.
The recipient, Jim Koester of Apple Valley, was stunned to open an attachment with hundreds of Social Security numbers, names, license information and businesses. The security breach was discovered and deleted from Koester’s computer with the help of a state technology expert. The expert helped the insurance agent “navigate” the MNsure system in a much different way than first anticipated.
“The more I thought about it, the more troubled I was,” Koester told the newspaper. “What if this had fallen into the wrong hands? It’s scary. If this is happening now, how can clients of MNsure be confident their data is safe?”
MNsure staff took steps to assure the public the breach was found and fixed and that the insurance brokers whose private information was disseminated would be quickly notified.
The security violation provides a window into the scramble to meet the fast-approaching Oct. 1 deadline to get the first phase of health insurance exchanges up and running online.
A University of Minnesota expert this week warned the U.S. House Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies of the dangers involved in “the largest personal data integration government project in the history of the Republic, with up to 300 million American citizen records needing to be combined from five federal agencies.”
“No one has said how the data hub will actually operate to ensure no privacy breaches as well as safeguard against identity fraud,” Stephen Parente, Minnesota Insurance Industry Chair of Health Finance in the Carlson School of Management told the subcommittee. “Greater transparency is needed, as well as a frank acknowledgement that the ACA’s posted deadlines should take second place to reasonable data concerns.”
Contact Tom Steward at [email protected]