MNsure data breach will get state reviews

Legislators decided Friday to hold a hearing to look into the accidental release of personal data on 2,400 insurance brokers by a Minnesota health insurance exchange staff member.

Legislative Auditor Jim Nobles also announced that his office will investigate the data security practices at MNsure, the state's soon-to-launch online insurance marketplace that is the linchpin to expand health coverage under the Affordable Care Act.

"There is going to be an independent review, and we are going to get to the bottom of it," Nobles said.

Republican legislators and other critics have long voiced privacy concerns about the system. With the revelation that the personal information, including Social Security numbers, was released in an errant e-mail, critics say their fears are validated.

"Minnesotans are now justifiably nervous about the security of private data they release to the MNsure systems," Sen. Sean Nienow, R-Cambridge, and Sen. Michelle Benson, R-Ham Lake wrote in a letter to the Legislature's MNsure Oversight Committee. "We have an obligation to ensure data integrity and allay those fears."

In light of the incident, the leaders of the Oversight Committee scheduled a Sept. 24 hearing to discuss the breach.

"We take the reported release of personal data very seriously," Sen. Tony Lourey, DFL-Kerrick, and Rep. Joe Atkins, DFL-Inver Grove Heights, said in a letter.

MNsure and other exchanges across the country are intended to be new online marketplaces that will usher in the final and most sweeping elements of the federal health law, often called Obamacare. More than 1 million Minnesotans — including small-business owners, individuals younger than 65 without workplace coverage and those on public health plans — are expected to use MNsure to sign up with health insurance plans.

MNsure officials on Friday declined to provide more details about the e-mail, which was first reported by the Star Tribune, beyond an earlier statement. The statement said that while the e-mail was sent "inadvertently," it violated MNsure's data privacy policy.

MNsure planned to alert the brokers whose Social Security numbers and other information were sent to an Apple Valley broker and his assistant, and to evaluate whether additional policies should be implemented to prevent such incidents in the future.

Gov. Mark Dayton acknowledged the problems with the nascent exchange but said "glitches" should be expected.

"The breach of privacy was a serious violation of their protocol and their procedures. They'll learn from that, and it will make them even stronger in the days following," Dayton said. "I think there are going to be instances of human error and the like that, unfortunately, are going to get all the attention."

"A lot of people who know this world have been very concerned, rightly, about the more sophisticated vulnerabilities and risks that exist, both external and internal," Nobles said. "We're going to go down there next week and really investigate thoroughly what happened, how it happened, why it happened and what needs to change to keep this sort of thing from happening again."

Earlier in the week, MNsure officials were rebuked by community organizations and legislators — many of them strong supporters of MNsure — over $4 million in grants aimed at helping people use the exchange to sign up for insurance coverage.

Critics packed a meeting of the Oversight Committee, telling members that the 30 groups selected by MNsure to receive the grants didn't adequately represent those with expertise in reaching underserved populations, including African-Americans, Somali immigrants and those with mental illnesses. In response, the MNsure board allocated an additional $750,000 in outreach spending.

jackie.crosby@startribune.com 612-673-7335