Home  >  Minnesota  >  Security breach rattles MN health-care exchange

Security breach rattles MN health-care exchange

By   /   September 13, 2013  /   2 Comments

By Tom Steward │Watchdog Minnesota Bureau

UNsure of MNsure Health Care Exchange: Even Paul Bunyan and Babe the Blue Ox have taken criticism in their role as mascots for Minnesota’s health care exchange.

ST.PAUL — Maybe someone should think about re-branding the MNsure online health-care exchange MN-UNsure, given the embarrassing blunders revealed in the rush to implement the Affordable Care Act and provide medical coverage for Minnesotans.

Besides awarding controversial navigator outreach grants to Planned Parenthood—Minnesota, North Dakota, South Dakota and a businessman with a record of a traffic incident involving a gun, MNsure came under fire in a legislative hearing this week for failing to award grants to African-Americans, who make up a disproportionate number of uninsured Minnesotans.

Even MNsure’s high-profile mascot, Paul Bunyan and Babe the Blue Ox, haven’t escaped criticism.

Launched with $110 million in federal funding for outreach, call center and online marketplace, MNsure’s PR machine boasts about “collaborating with community partners and insurance agents/brokers to create a customer service network.”

Now, it turns out, the state’s customer-service network was compromised before even going online in October, due to a security breach involving the Social Security numbers and other private data for 2,400 insurance brokers, first reported by the Star Tribune.

State health exchange officials confirmed a MNsure employee Sept. 12 mistakenly hit the send button on an email to a suburban Twin Cities insurance agent signing up to become a “navigator” to help enroll potential clients for coverage.

“The collection of social security numbers is standard practice in order to enable the recording of continuing education (CE) credits,” MNsure said in a statement.

The recipient, Jim Koester of Apple Valley, was stunned to open an attachment with hundreds of Social Security numbers, names, license information and businesses.  The security breach was discovered and deleted from Koester’s computer with the help of a state technology expert. The expert helped the insurance agent “navigate” the MNsure system in a much different way than first anticipated.

“The more I thought about it, the more troubled I was,” Koester told the newspaper. “What if this had fallen into the wrong hands? It’s scary. If this is happening now, how can clients of MNsure be confident their data is safe?”

MNsure staff took steps to assure the public the breach was found and fixed and that the insurance brokers whose private information was disseminated would be quickly notified.

“MNsure takes this incident extremely seriously. While it appears that this incident was accidental, MNsure will conduct a thorough investigation to fully understand the nature of the incident,” according to the agency’s statement. “MNsure has a data privacy policy in place, and this employee’s action was a violation of this policy. MNsure is evaluating whether any additional policies and procedures can be implemented to prevent such incidents in the future.”

The security violation provides a window into the scramble to meet the fast-approaching Oct. 1 deadline to get the first phase of health insurance exchanges up and running online.

A University of Minnesota expert this week warned the U.S. House Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies of the dangers involved in “the largest personal data integration government project in the history of the Republic, with up to 300 million American citizen records needing to be combined from five federal agencies.”

“No one has said how the data hub will actually operate to ensure no privacy breaches as well as safeguard against identity fraud,” Stephen Parente, Minnesota Insurance Industry Chair of Health Finance in the Carlson School of Management told the subcommittee. “Greater transparency is needed, as well as a frank acknowledgement that the ACA’s posted deadlines should take second place to reasonable data concerns.”

Contact Tom Steward at tom@watchdogminnesota.org

Click here to LEARN HOW TO STEAL OUR STUFF!

Tom Steward covers government waste, spending and policy issues in his home state of Minnesota. Also a documentary filmmaker and in-depth broadcast journalist, Tom's work has appeared on NPR, Animal Planet, WCCO-TV, WGBH-TV, PBS, Australian Broadcasting Corporation, KSTP-TV, CBC, among other outlets. Highlights include the fall of the Berlin Wall, a Peabody Award, the first footage in the wild of the endangered Sumatran tiger and rhino and countless individuals who shared their stories, big and small. Steward served as a communications strategist in the U.S. Senate before returning to reporting on issues and people often overlooked by other media.

  • Loisbikelane

    You infer that the navigator research grants are “controversial”; please elaborate?
    Also wondering what is wrong with helping Planned Parenthood sign up their many clients for MNsure, who are probably not covered by health insurance. Can you give examples, instead of merely casting aspersions?
    Thanks in advance.

  • Friend

    Navigators are not experts in insurance. An expert (ie insurance agent) can not be a navigator, unless they are only paid by the insurance exchange and not the insurance company. The only people that should be advising people on insurance coverage, are ones that are certified, licensed and approved to sell insurance in their particular state. Navigators are paid too, by application. If the Planned Parenthood person signing up someone is an expert in insurance finace, then there probably isn’t an issue. The issue lays when experts aren’t the ones providing the advise.