Listen MPR's Catharine Richert discusses the Legislative Auditor's report on a data breach in MNsure
Listen MNsure data breach was accidental, investigation finds
Nov 8, 2013
An investigation by the Minnesota Office of the Legislative Auditor has found that a data breach at MNsure earlier this year was unintentional and that there was "no evidence of malicious intent."
But the report also said that MNsure made a series of critical decisions that made personal information connected to 1,500 Minnesota insurance brokers vulnerable to a breach. Fast-moving timelines, not enough workers and inadequate data security are all to blame, the report said.
"Our findings demonstrate that what occurred was more than 'an HR issue' involving one employee," the report states, rebutting one characterization by MNsure's board chair, Brian Beutner.
Critics of MNsure have long said data security -- whether it's broker, insurer or customer information -- is among their chief concerns about the new website.
In September an agency employee whose job was to assist insurance agents who wanted to help people enroll in health coverage through MNsure accidentally sent the personal information of 1,500 brokers, including their Social Security numbers, to another agent.
"We found no evidence that what occurred was anything other than a mistake, and no evidence that there was any reason the employee would have intentionally shared the MNsure Broker Data Roster with the broker who received it," the Legislative Auditor's report said.
MNsure personnel also acted quickly to address the situation, according to the report.
The agency immediately alerted brokers that their information had been disclosed. MNsure has offered to pay for one year of identity protection for each broker involved in the data breach, according to the report.
MNsure also fired the employee who sent the errant email.
"We are satisfied that MNsure staff and officials acted quickly to mitigate the impact of the unauthorized disclosure of private data," the report said.
But the report still has plenty of criticism of the agency running the state's new online insurance marketplace. "MNsure officials made decisions that contributed directly to the disclosure of private data," the report said.
The auditor's office said MNsure required brokers and agents to turn over sensitive data the agency did not need, and then failed to ensure the data were secure.
NO NEED FOR SOCIAL SECURITY NUMBERS
Over the course of the summer, MNsure received a great deal of interest from insurance brokers interested in being certified to help their clients with the online marketplace.
But the investigation found that MNsure did not hire enough workers early enough to handle the interest.
"The result appears to be a stressed work environment in which key goals were not achieved in time for MNsure's opening date on October 1, 2013,"the report said.
The Legislative Auditor also questioned why MNsure was collecting broker Social Security numbers in the first place -- a piece of information that was not necessary to certify insurance agents.
MNsure's decision to collect Social Security numbers may have stemmed from a misunderstanding with the Minnesota Department of Commerce. MNsure officials were under the impression that that information was required to access a national registry of brokers typically used by the commerce department.
"I did send that roster over to the Department of Commerce, requested that they vet the roster and let us know does this look OK," according to an interview with the manager of the MNsure broker team. "[Commerce] had some edits on the front page, but no comments about the Social Security number."
The report said that had MNsure "adequately vetted the decision to collect Social Security number, those negative consequences would have been avoided."
INSUFFICIENT DATA SECURITY?
The Legislative Auditor also questioned why MNsure was using unsecured email to gather personal information from brokers.
According to the report, MNsure employees must manually encrypt emails sent to people outside state government.
But that wasn't done to gather personal information from brokers, according to the investigation.
When asked why MNsure officials didn't set up a secure website to collect agent data, MNsure's broker manager said their aim was get the certification process done early, so they opted for email instead.
"If we had knowledge of [a secure website] or perhaps done more assessment of the tools available to us, that would have been a preferred option, it sounds like," the broker manager told the Legislative Auditor.
Though MNsure employees are required to pass data security courses, the Legislative Auditor questioned if they were rigorous enough in the first place.
The auditor's report also makes a point of saying insurance industry officials objected to MNsure's practices.
"[R]epresentatives of insurance agents and brokers told us that, before the disclosure of private data occurred, they had raised objections to MNsure requiring Social Security numbers as part of the certification process, as well as to the use of unsecured e-mail for the transmission of private data," the report said.
MNsure officials said they generally agree with the findings in the Legislative Auditor's report and underscored that the data breach was an isolated incident that has nothing to do with the online insurance marketplace consumers are using to buy coverage.
"We have since conducted work station-by-work station reviews for privacy and security policy compliance, conducted in-person data privacy and security training sessions with staff, and engaged an outside vendor to perform a root cause analysis of the incident and the factors leading up to it," MNsure Executive Director April Todd-Malmlov said.
"MNsure appreciates and values the thorough examination of this incident and are committed to taking measures to ensure one like it does not occur in the future," she said.
Editor's note: This report has been revised from the original to attribute the assertion the data breach stemmed from an "HR issue" to the MNsure board chair, instead of the agency's executive director.