As questions swirl around the state’s new health insurance exchange, the agency responsible for safeguarding Minnesotans’ private data expressed confidence Friday that ample protections are in place and that citizens “should trust the system.”
“We have the latest tools and technology that we can bake into every level of the system,” said Carolyn Parnell, commissioner of the state’s information security department, known as MN.IT. “Even when the [MNsure] system is launched, security never ends.”
Parnell appeared at a meeting of the MNsure exchange’s board, which was seeking answers about a recent privacy breach in which a MNsure employee sent an e-mail containing the names and Social Security numbers of 1,600 insurance brokers. (Officials previously said the number was 2,400 but have since determined that some brokers were listed twice.)
With fewer than two weeks to go until consumers start shopping on the exchange, MNsure Executive Director April Todd-Malmlov drew a distinction between the errant e-mail and the website that consumers will use to access the exchange.
“I want to be very clear,” Todd-Malmlov said. “The data incident was in no way related to MNsure’s IT system.”
Rep. Peggy Scott, R-Andover, said the explanation of the security breach and measures to protect consumer privacy fell short.
“Notably absent at today’s MNsure Board meeting was any sort of apology to the Minnesotans whose personal information was violated,” Scott said in a statement. “Today’s meeting only raised more questions about MNsure’s lack of data security procedures.”
Todd-Malmlov said the employee who sent the e-mail to an independent broker had been trained in security measures along with all staff. But the information was kept on the employee’s desktop computer and was not encrypted, in violation of policy.
The employee is no longer working for MNsure, Todd-Malmlov said.
In a bitter twist, Todd-Malmlov said in an interview that she has since learned that MNsure may not even have needed to collect brokers’ Social Security numbers. It had asked for the information believing it was needed to ensure that the brokers got continuing education credits for the certification process to become navigators who will help people sign up.
The exchanges open nationwide on Oct. 1 and are a key component of the federal health law, often called Obamacare. The MNsure exchange is aimed at individuals, families and small-business owners, and it will serve as the entryway to enroll those on public programs such as Medical Assistance and MinnesotaCare.
Senate Minority Leader David Hann, of Eden Prairie, said MNsure still isn’t ready to meet its timeline.
“The MNsure board of directors meeting offered no new answers to the question that thousands of Minnesotans have. Will my privacy be protected?” Hann said in a statement.
Sen. Sean Nienow, R-Cambridge, took to social media over an end-of-the-meeting discussion in which two board members suggested the state tell consumers to stay away on opening day, as a way to be more honest with consumers and tamp down expectations.
“I would encourage Minnesotans not to call on Oct. 1,” suggested board member Tom Forsythe, vice president of global communications at General Mills Inc., so as not to put too big of a load on the call center.
Thompson Aderinkomi, founder of a health IT start-up, added that there was “nothing wrong” with the idea of waiting, likening it to the launch of new iPhones when Apple servers get bogged down.
Todd-Malmlov thanked the board for “great feedback.”
The broader theme of Friday’s meeting revolved around the potential loss of trust from the e-mail mistake, as well as the need for assurance that the incident did not signify more systemic problems.
Dr. Kathryn Duevel, a board member, wanted to know how MNsure could reassure people who are most in need of getting coverage.
“We need to get people some level of assurance that they can still come to MNsure and apply,” she said. “What are we going to do to educate them?”
Chris Buse, assistant commissioner and chief information security officer of MN.IT, told the board there had been an “all hands on deck” staffing philosophy for the past year.
His department has worked closely with federal agencies, including the IRS, to make sure the system meets requirements for safeguarding private data.
“There are no guarantees,” he said. “But you try to put in the best preventive, corrective controls to make the system as secure as possible.”