MNsure's data breach must be taken seriously

Paul Bunyan and Babe the Blue Ox have had a painful couple of weeks.

This time, the legendary lumberjack's injuries weren't inflicted by woodpeckers, water skiing or sledding — among the hazards that make Minnesota the land of "10,000 reasons to get health insurance,'' according to the ads in which Bunyan and Babe promote the state's new online health coverage marketplace.

Instead, the latest mishaps came at the hands of their new MNsure colleagues, who have made two disappointing mistakes recently that sapped confidence in this important marketplace in the critical lead-up to its Oct. 1 launch.

MNsure leaders deserve credit for quickly addressing one of the missteps by bolstering outreach funds to help minority and hard-to-reach communities sign up for coverage. The move followed vehement complaints from state Sen. Jeff Hayden, DFL-Minneapolis, and others that MNsure's grant process had left groups serving these communities out in the cold.

But detailed answers are still needed about the MNsure staff's other high-profile mistake — a data breach in which an employee ­inadvertently e-mailed a spreadsheet containing personal information of more than 2,400 Minnesota health insurance brokers. Included in the attachment were Social Security numbers, which could put the brokers at risk of identity theft. The e-mail was sent to a Minnesota broker's office; brokers affected have been notified.

The troubling breach put an unflattering national spotlight on the Minnesota marketplace, often looked to as a model for well-designed exchanges. It was painful to see Florida's Republican Gov. Rick Scott hold up MNsure as an example of the ACA's flaws. The breach also deepened broader doubts about data privacy following summer scandals over the National Security Agency's collection of data and the sloppy security that led to information being leaked by Edward Snowden.

While Republicans seize on any reason to attack "Obamacare," the breach does raise legitimate questions about the data security practices the state's exchange has in place. MNsure's leaders should understand that regaining the public's trust on this issue is a top priority and that Gov. Mark Dayton's glib assurance that glitches happen didn't suffice.

Context is important in the ongoing discussion about the breach. This is not a vulnerability of just the public sector. Consumers' financial information has been hacked with regrettable regularity at retailers, ticketsellers and banks, with quick notification of such breaches not always forthcoming.

Protected health information also been released accidentally by medical providers, with 674 breaches involving 500 or more people reported to federal officials since 2009. Twelve of these breaches were in Minnesota and affected about 70,000 people here, with one stolen laptop from an Accretive employee working for Fairview hospitals containing thousands of medical records.

It's important to note that MNsure will not collect or store medical records from people who want to buy coverage on the exchange, which will prevent this sensitive information from being compromised. Key information that enrollees will be asked for includes where they live and what their income is (to determine citizenship and eligibility for financial assistance). Those who do not want tax subsidies or other help will not be asked for information beyond what they would give a private health insurance company or broker.

It also should be noted that the breach of broker information happened outside the more secure information technology system used for enrollees' information. MNsure officials said policies and training had been in place to prevent accidental breaches for data stored outside this system. Still, answers are needed about where the broker information was stored, who had access to it, and why technology the state already has wasn't used to encrypt it or stop outgoing e-mails from transmitting sensitive information.

MNsure staff are working long hours on the enormous task of launching this new marketplace. Evaluating and tightening data security in the breach's wake, and communicating the improvements to the public, will add to their daunting workload — but MNsure's success is worth it.