Health exchanges that promote the purchase of Obamacare programs for Connecticut residents need to do more to protect their clients’ personal data.
According to a report from the public accounting auditor in early March, 44 violations of Access Health CT from July 2017 to March 2021 revealed personal information including phishing scams that affected 1,100 people. Lost. However, according to the audit, these revocations were not reported to the legally required auditors or the state’s Comptroller’s Office.
State auditor John Geragosian said his office reviewed the Access Health CT information security policy and found a need for improvement.
“Internal control wasn’t enough to prevent client data breaches,” he said in a statement.
The office recommends strengthening Access Health CT security practices, stating in an audit report that “the exchange has not taken sufficient steps to ensure the confidentiality, integrity and security of client data.” increase.
Meanwhile, a review of data from the State Attorney General’s office shared with Hearst Connecticut Media reports that the exchange is experiencing the most violations of any private or public organization in Connecticut. doing.
Of the 44 data breaches found by the auditor, they were reported to the Prosecutor’s Office as needed, but not to other state authorities. Access Health CT call center vendor Faneuil Inc. was responsible for 34 cases. The organization, also known as the Connecticut Health Insurance Exchange, is a private company, but regulated by a state-appointed board of directors. It is not directly funded by the state.
Faneuil continues to operate the Access Health CT call center. And so far this year, three more violations involving call center vendors have been reported.
Faneuil refused to comment on the breach and audit results and sent all questions to Access Health CT.
In a statement, agency spokeswoman Kathleen Tallalita explained that most of the breach in question was small, affecting one consumer at a time.
According to Tallarita, Access Health CT hired an external cybersecurity company called JANUS Associates, based in Stamford, to help implement a more powerful information security framework. She added that the vendor responsible for the breach must pay for security monitoring of affected clients, including Faneuil.
“The exchange has implemented additional protocols to monitor vendor compliance with security requirements, improve security practices at Faneuil, and monitor their compliance,” she said.
In total, the Access Health CT reported about 110 violations between 2013 and 2020. This is more than any other organization inside or outside Connecticut, data from the Attorney General’s office show. It is not clear from the data whether an Access Health CT employee or one of its vendors was involved in their respective revocations.
According to a report filed by Access Health CT with a regulatory agency that disclosed the loss of client information, Access Health CT call centers have repeatedly had the problem of accidentally linking incorrect personal information to someone else’s online account. ..
The report, which did not point out malicious intent in the loss of personal data, details how call center personnel could inadvertently allow various clients to access personal information by adding people to the wrong account. I am.
For example, in a recent breach reported on January 28, a mistake was discovered when a client called the center and told them that they could view someone else’s personal data.
Faneuil signed an agreement in 2016 to manage customer support for Access Health CT. According to the organization’s financial statements, the contract was renewed in 2019 and August.
Access Health CT states that most of the reported violations involve only one person, but health insurance exchanges are also unaffected by external attacks that disclose more people’s information. Hmm. Geragosian said a phishing scam involving Access Health CT employees in October 2019 was also not reported to the auditors and accounting auditors’ offices. Faneuil also experienced a ransomware attack in August 2021, according to a document shared by the Audit Office.
According to the organization’s latest annual report, Access Health CT responded to approximately 573,000 inquiries from state residents, including call centers, in 2021.
Due to the effects of the pandemic, such as rising unemployment ranks and new financial relief from aid packages, more and more people are looking for health insurance reform plans and using AccessHealthCT’s services. By the end of 2021, the number of registrants had increased by 7%.
