Legislative Auditor to probe MNsure data security breach

The state's legislative auditor will investigate a data security breach at MNsure, the state's new health insurance exchange.

Auditor Jim Nobles acted after MNsure acknowledged one of its employees inadvertently emailed the names, Social Security numbers and other identifying information of 2,400 insurance agents to another broker.

"We hadn't planned to be at MNsure quite this quickly, but we certainly planned to be there in the months to come," Nobles said. "It's extremely important that the public understands that we take (data privacy issues) very seriously and that we will investigate them."

The investigation starts Monday.

Create a More Connected Minnesota

MPR News is your trusted resource for the news you need. With your support, MPR News brings accessible, courageous journalism and authentic conversation to everyone - free of paywalls and barriers. Your gift makes a difference.

Nobles said that at first blush, the breach doesn't look like a sophisticated one.

"But we still need to understand why it was done, where this data came from, what was the purpose of attaching it (in the email). Was it completely just a mistake? If so, what controls does the organization have for preventing these kinds of things, why wasn't the data encrypted?" he asked. "We have a lot of questions that we will need answers to."

MNsure declined an interview with MPR News, but said in a statement that it plans to investigate, too.

"MNsure has a data privacy policy in place, and this employee's action was a violation of this policy. MNsure is evaluating whether any additional policies and procedures can be implemented to prevent such incidents in the future."

The breach doesn't seem to indicate a security lapse that would affect consumers using MNsure, but it might leave the impression that there is a security risk, said Deven McGraw, a health privacy expert at the Center for Democracy & Technology, a non-profit privacy advocacy group.

MNsure, she added, must redouble efforts to reassure the public that using the exchange is safe.

The incident provides ammunition to critics who contend personal data collected by MNsure will not be safe. Uninsured Minnesotans will be using the website to purchase health insurance, and they'll have to provide information about themselves in the process.

Republican lawmakers said the incident underscores some of their biggest concerns about the marketplace and called for a hearing on the matter by the Legislature's MNsure oversight committee.

"Minnesotans are now justifiably nervous about the security of the private data they release to the MNsure systems," State Sens. Michelle Benson, R-Ham Lake, and Sean Nienow, R-Cambridge in a letter to the MNsure Oversight Committee asking for a hearing on the topic. "We have an obligation to ensure data integrity and allay those fears."

The DFL co-chairs of the oversight committee quickly scheduled a hearing for Sept. 24.

But Gov. Mark Dayton said he's still confident in MNsure.

It's been a rough week for MNsure. Earlier, state lawmakers and Gov. Mark Dayton criticized exchange officials for leaving prominent African American groups off a short list of groups expected to get federal funding to help enroll people in the exchange.

MPR News reporter Elizabeth Stawicki contributed to this story