Report: Health Insurance Exchange Suffered Dozens of BreachesOne Vendor Linked to Vast Majority of Connecticut Exchange's Incidents
Access Health, Connecticut's health insurance exchange under the Affordable Care Act, experienced dozens of mostly small data breaches over about a 3 1/2-year period, and the vast majority involved a single call center contractor, says a state auditor report that recommends the exchange take steps to improve its protection of personally identifiable information.
Also, while Access Health reported the data breaches to the U.S. Department of Health and Human Services and Connecticut's attorney general, as required, the health insurance exchange did not report the security incidents to the state auditor and comptroller, as also mandated by law.
In total, Access Health did not report 44 breaches of clients' personally identifiable information to the state auditor and state comptroller, says the report, which was issued last month. Of those incidents, 34 breaches involved one contractor, the report says.
That contractor is Faneuil Inc., which is based in Hampton, Virginia, and operates Access Health's call center, Caroline Lee Ruwet, Access Health's marketing director, tells Information Security Media Group.
She says nearly all those call center breaches affected only one consumer or more than one individual from the same household, and of the incidents involved password reset errors or administrative errors. In total, 49 individuals were affected by the Faneuil incidents, she says.
The state auditor's report says five other contractors were involved in the remaining 10 breaches. The report does identify the other contractors involved.
The largest of the 44 breaches - all of which occurred between July 2017 and March 2021 - involved a phishing scam that affected 1,100 individuals. That incident did not involve a contractor, Ruwet says. In total, 1,165 individuals were affected by the breaches.
Faneuil did not immediately respond to Information Security Media Group's request for comment.
Connecticut's health insurance exchange "did not take sufficient actions to ensure the confidentiality, integrity, and security of client data" when one of its contractors incurred 34 of those  breaches," the report says.
"The Connecticut Health Insurance Exchange should promptly notify the Auditors of Public Accounts and the State Comptroller of any breach of security, in accordance with [state] statutes. The exchange should ensure that sufficient internal controls are in place to safeguard clients’ personally identifiable information," the auditors say.
The health insurance exchange says it did not report the incidents to the state auditor and comptroller because it was unaware of the state's breach of security notification requirements, according to the report.
Federal regulations also requires state exchanges to protect PII with reasonable operational, administrative, technical and physical safeguards to ensure its confidentiality, integrity and availability and to prevent unauthorized or inappropriate access, the report says.
"The [federal regulations] require state exchanges to oversee and monitor non-exchange entities and ensure that they comply with the privacy and security standards established and implemented by a state exchange," the report says.
"Breaches of data increase the client's risk of identity theft, medical insurance abuse, and financial fraud," the auditors say. Access Health incurred costs of two years' worth of security monitoring for individuals who experienced a breach, the report says.
"The exchange did not implement sufficient internal controls to prevent breaches of client data."
The auditors recommended that the Connecticut health insurance exchange "should promptly notify the Auditors of Public Accounts and the State Comptroller of any breach of security," in accordance with state law. The auditors also recommend that the exchange ensure that sufficient internal controls are in place to safeguard clients' PII.
The report says Access Health, in response to the auditors' findings, "recognizes the importance of strong information security controls especially given the sensitive nature of data the Health Insurance Exchange systems process and store."
The exchange says it monitors vendor compliance with security requirements and is implementing additional protocols to monitor compliance and improve vendor security practices, the report says.
"The Exchange requires any vendor causing a breach to cover the cost of two-years of security monitoring for clients who experienced a breach, and requires vendors to maintain sufficient liability insurance in case of a breach," the report says.
Access Health is currently working with third-party vendor Janus Associates to assist with the implementation of a risk management framework to provide comprehensive visibility and oversight into compliance with information security controls, Ruwet says.
The exchange says it complies with statutory reporting requirements and will comply with additional reporting requirements, according to the report.
Some experts say the findings by the Connecticut auditors involving the review of the state's health insurance exchange are important reminders for other entities and their vendors handling personally identifiable information and other sensitive data.
"This report should serve as a wake-up call for organizations that operate or contract with call centers, highlighting the importance of good privacy and administrative practices," says attorney Andrew Mahler, vice president of privacy and compliance at privacy and security consulting firm CynergisTek.
"While implementing robust information security practices is vital, organizations should not lose sight of the risk posed when employees and vendors do not receive regular and appropriate privacy training, education and access to clear policies and procedures," he says.
Health insurance exchanges receive and process sensitive financial, medical and other personal information, Mahler says. "Incidents affecting exchanges can result in identity theft, healthcare fraud and abuse."
He adds that the U.S. Department of Health and Human Services has the ability to suspend certain transactions between the exchange and HHS if HHS discovers a security and privacy incident or breach.
"This cannot only cause disruptions at a state level but perhaps more importantly, can affect how individuals and their families obtain needed health insurance," Mahler says.