Under pressure, MNsure pushes data privacy fixes

MNsure technology officials say they're putting in security fixes to the state's online health insurance site that should be completed by Tuesday night. But they are stopping short of acknowledging a specific vulnerability uncovered a few weeks ago.

• Related: Experts criticize security holes in MNsure

The problem is complex, but it comes down to this: MNsure's website allows consumers' private data to come through unencrypted, leaving it vulnerable to an inexpensive hacking tool. That tool can capture information coming from computers or smartphones within a range of as much as 150 yards, according to Minnetonka security analyst Mark Lanterman.

Lanterman met Monday with the state's chief information security officer, Chris Buse, explained to how he discovered the vulnerability and how to solve the problem.

"We told them very clearly that if there is any assistance we could offer the state of Minnesota, that there wouldn't be any charge for that," he said. "We want to see this fixed."

Buse said the meeting helped confirm the actions his staff has already taken -- and are planning -- to fix the problem. A solution should be in place by the end of the day.

"This is a generic Internet type of vulnerability. It's not something that's specific to MNsure," he said. "We are taking some steps with MNsure to help mitigate the vulnerability. But this is a vulnerability that is broadly applicable to almost every site on the Internet."

Lanterman disagrees that the problem is a generic vulnerability that affects almost every website. He says some other websites are vulnerable, yes, but other organizations have also fixed that vulnerability, something he says MNsure's site also has an obligation to do.

Initially, Buse said he and his staff had tried to recreate what they thought Lanterman was asserting a few weeks ago, and told MPR last week they had fixed the problem. But Lanterman said they had not.

The Minnesota Legislative Auditor's office also considers MNsure's vulnerability a serious concern that needs to be acknowledged and addressed by the state. State Legislative Auditor Jim Nobles has said if the issue is not addressed adequately, his office will examine the issue when it conducts a security audit of MNsure next year.

In addition to security, MNsure officials have been scrambling to address a number of other problems. Data it sent to insurers contained errors or was incomplete. And its website has had intermittent problems due to heavy traffic. Just yesterday, for example, the site wasn't able to process new applications for coverage and callers to its hotline were waiting on hold an average of 45 minutes.

The MNsure problems have provided state House and Senate Republican leaders -- who opposed the federal health care overhaul that paved the way for MNsure -- with fresh material to criticize the program and DFL Gov. Mark Dayton's administration.

"None of this instills a lot of confidence that people are going to have insurance on Jan. 1," said Rep. Kurt Daudt, R-Crown. "What we need from the governor is [for him] to answer the questions we have and answer the questions that citizens of Minnesota have. Are people going to be insured on Jan. 1, first, and what are you doing to ensure that people are going to be insured on Jan. 1."

Dayton's press secretary, Matt Swenson, described the GOP comments as "unsurprising" and "unproductive," and asserted that Dayton has been clear that the current state of the exchange is unacceptable, and added that Minnesotans who need affordable health insurance need more than empty rhetoric with no solutions.