Two reviews are planned of MNsure, the state’s new online health insurance exchange, after an employee accidentally distributed confidential information about more than 2,400 insurance agents.
A legislative panel and the legislative auditor said they want more information about the breach. MNsure officials acknowledged mishandling private information. They said the employee sent an email to the office of an Apple Valley insurance broker that contained Social Security numbers, names, business addresses and other identifying information.
The employee realized her mistake and immediately called the broker, Jim Koester. Then a MNsure security manager called to walk Koester and his assistant through the process of deleting the file from their computer hard drives. Koester told the Star Tribune he willingly complied but was unnerved by what happened.
“The more I thought about it, the more troubled I was,” he said. “What if this had fallen into the wrong hands? It’s scary. If this is happening now, how can clients of MNsure be confident their data is safe?”
MNsure officials said the mistake was quickly resolved and was their first security breach. MNsure’s online marketplace, which launches Oct. 1, is the main vehicle for implementing federal health care changes. People will be able to comparison-shop among various health insurance options, with federal tax subsidies available to help the uninsured and underinsured get coverage.
Users of the exchanges will have to provide sensitive information, including Social Security numbers. The information will be sent to a federal hub to verify such things as citizenship and household income. The privacy of confidential data has been a long-time concern for some skeptics of the exchange.
“The people who believe in this are so driven that there’s a sub-context of, `Just let us do our job and get as many people signed up as possible, and we’ll pick up the debris later,’?” said Steve Parente, a University of Minnesota finance professor who specializes in information technology related to the health industry.
A MNsure official told the Star Tribune that the agency would investigate the lapse to figure out exactly how it happened, and would notify all brokers whose data was disclosed. Their Social Security numbers had been collected so the Department of Commerce could give the agents credit for MNsure navigator training as part of their state-mandated continuing education.
Koester said the information was on an unencrypted Excel spreadsheet. “They’ve got to realize they have a huge problem,” he said.
Democratic Gov. Mark Dayton defended MNsure. “There’s going to be mistakes, there’s going to be glitches and there’s going to be human error, as there is in any enterprise – particularly just a large one like this that’s just getting underway,” he said.
But two Republican senators, who have previously raised concerns about data privacy related to MNsure, requested a special meeting of a legislative oversight panel to review the data breach. Later Friday, the Democratic co-chairmen of the oversight committee said they would schedule a hearing as soon as possible, saying they share concerns about data security.
Minnesota’s Legislative Auditor, James Nobles, said he planned his own probe beginning next week of data handling practices at MNsure.
“There are still a lot of questions that need to be answered about how that happened,” Nobles said. “We’re going to be asking if that data is encrypted and if not why not.”