Legislators and the legislative auditor will look at how an e-mail disclosed sensitive information.
Legislators decided Friday to hold a hearing to look into the accidental release of personal data on 2,400 insurance brokers by a Minnesota health insurance exchange staff member.
Legislative Auditor Jim Nobles also announced that his office will investigate the data security practices at MNsure, the state’s soon-to-launch online insurance marketplace that is the linchpin to expand health coverage under the Affordable Care Act.
“There is going to be an independent review, and we are going to get to the bottom of it,” Nobles said.
Republican legislators and other critics have long voiced privacy concerns about the system. With the revelation that the personal information, including Social Security numbers, was released in an errant e-mail, critics say their fears are validated.
“Minnesotans are now justifiably nervous about the security of private data they release to the MNsure systems,” Sen. Sean Nienow, R-Cambridge, and Sen. Michelle Benson, R-Ham Lake wrote in a letter to the Legislature’s MNsure Oversight Committee. “We have an obligation to ensure data integrity and allay those fears.”
In light of the incident, the leaders of the Oversight Committee scheduled a Sept. 24 hearing to discuss the breach.
“We take the reported release of personal data very seriously,” Sen. Tony Lourey, DFL-Kerrick, and Rep. Joe Atkins, DFL-Inver Grove Heights, said in a letter.
Week of criticism
The events capped a week of blistering criticism of the state’s new health insurance exchange, just 17 days before it begins open enrollment on Oct. 1. On Tuesday, legislators and community leaders lashed out at MNsure officials for failing to give outreach grants to well-established groups that work with African-Americans and other hard-to-reach groups that lack insurance.
MNsure and other exchanges across the country are intended to be new online marketplaces that will usher in the final and most sweeping elements of the federal health law, often called Obamacare. More than 1 million Minnesotans — including small-business owners, individuals younger than 65 without workplace coverage and those on public health plans — are expected to use MNsure to sign up with health insurance plans.
MNsure planned to alert the brokers whose Social Security numbers and other information were sent to an Apple Valley broker and his assistant, and to evaluate whether additional policies should be implemented to prevent such incidents in the future.
Gov. Mark Dayton acknowledged the problems with the nascent exchange but said “glitches” should be expected.
“The breach of privacy was a serious violation of their protocol and their procedures. They’ll learn from that, and it will make them even stronger in the days following,” Dayton said. “I think there are going to be instances of human error and the like that, unfortunately, are going to get all the attention.”
Nobles said his office has long planned to scrutinize information security plans with MNsure. He said he met with MNsure officials Thursday, the day of the security breach, but he didn’t learn of the incident until reading about it in the Star Tribune on Friday.
‘Really investigate thoroughly’
“A lot of people who know this world have been very concerned, rightly, about the more sophisticated vulnerabilities and risks that exist, both external and internal,” Nobles said. “We’re going to go down there next week and really investigate thoroughly what happened, how it happened, why it happened and what needs to change to keep this sort of thing from happening again.”