Audit of the Connecticut Health Insurance Exchange Uncovers 44 Unreported Data Breaches – HIPAA Journal
Share this article on:
An audit of Connecticut’s Health Insurance Exchange, Access Health CT, by the state auditor has revealed Access Health CT suffered 44 data breaches over the last 3.5 years that had not been fully reported and that sufficient steps had not been taken to safeguard sensitive data.
The Connecticut Health Insurance Exchange acts as a health insurance marketplace to reduce the number of state residents who do not have health insurance and to facilitate applications by low-income individuals for Medicaid coverage, as required under The Affordable Care Act.
While Access Health had reported the data breaches to the Department of Health and Human Services, as required by HIPAA, and the state attorney general had been notified, the breaches had not been reported to the state auditor and comptroller. Under state law, the Connecticut Health Insurance Exchange is required to notify the Auditors of Public Accounts and the State Comptroller promptly when a security breach is discovered.
The majority of the data breaches were small incidents, with most of the breaches (34) involving a Hampton, VA-based contractor– Faneuil Inc – which operates the Access Health CT call center. Most of those breaches involved a single individual’s data or the data of individuals in the same household and were mostly admin errors and password reset errors.
Across the 34 data breaches, some 49 different individuals were affected. The remaining 10 data breaches were spread among 5 different contractors. The largest breach was the result of a phishing attack, in which the information of 1,100 individuals was potentially compromised.
In addition to the failure to report the breaches, the auditors concluded that Access Health had failed to take sufficient steps to ensure the confidentiality, integrity, and security of client data, especially considering 34 data breaches had occurred at a single contractor. There are requirements to implement controls to ensure the confidentiality, integrity, and security of sensitive data in state and federal laws.
“Our audit identified internal control deficiencies, instances of noncompliance with laws, regulations, and policies, and a need for improvement in practices and procedures that warrant the attention of management,” explained the auditors in their report. The auditors also determined that the procurement policy for vendors lacked the specific criteria to determine appropriate reasons for awarding sole-source contracts.
Access Health CT said the breaches had been reported but were not reported to the state auditor and comptroller as it was unaware of the breach reporting requirements in the state. Access Health CT concurred with the recommendations made in the report and said third-party vendors are assisting with the implementation of a new risk management framework, which will provide comprehensive visibility and oversight of compliance with the information security requirements of state and federal laws. Access Health CT said it is also strengthening its internal purchasing policies and procedures and will be revising its contract procurement policy.