MNsure looks to reassure: Board meets to respond to publicized data breach
ST. PAUL — Officials of Minnesota’s new health-insurance marketplace want to send a message that they will protect private information, an effort to counter a highly publicized data breach.
A Friday MNsure board meeting was called to respond to a Sept. 12 incident in which private information of nearly 1,600 insurance brokers (not 2,400 as MNsure originally said) was mistakenly emailed to an insurance agent.
The employee who sent the information no longer works for MNsure and the agency is looking at its security systems to make sure a similar incident does not occur.
Board member Dr. Kathryn Duevel of Willmar said MNsure needs an easy-to-understand message that privacy is important.
“We have this big commitment that we want everyone to have insurance...” she said. “We need to give people some level of reassurance that people can feel comfortable applying to MNsure.”
Minnesotans already are nervous about the new government program, Duevel added.
“You have a very significant trust problem,” David Racer, who long has worked with insurance agents, told the board.
Commissioner Lucinda Jesson of the Human Services Department suggested that the board take up the public perception issue when it meets next week.
Republican MNsure critics were not happy with the Friday meeting.
“Notably absent at today’s MNsure board meeting was any sort of apology to the Minnesotans whose personal information was violated,” Rep. Peggy Scott, R-Andover, said. “Worse yet, we received no assurance that Democrats’ insurance exchange will be able to keep personal information private in the future.”
Senate Minority Leader David Hann, R-Eden Prairie, said he has the same questions, and more.
“It’s abundantly apparent that even after spending over $150 million on a website and not 1 cent on checkups for kids, preventative care for seniors or cancer screenings for moms, MNsure still isn’t ready to meet its timeline,” Hann said.
MNsure officials said they took immediate action when they discovered the list had been sent, with the recipient voluntarily deleting the email and attachment. The state sent information technology personnel to the agent’s Burnsville office to make sure the information had been erased and not sent elsewhere.
“Security systems are only as strong as the people who work with them,” said board member Phillip Norrgard, who is Fond du Lac Reservation human services director. “We have to keep in mind that this is a human resources problem, not necessarily an IT problem.”
State information technology official Chris Buse said the MNsure computer system is safe. “I believe this system will have the highest security in state government.”
All MNsure employees, including the one who sent the email, have undergone training about how to maintain privacy of people, agency officials said.
While the specific incident deals with computer technology, MNsure also deals with paper, so security must go beyond computers.
“There will be personal information on paper applications,” MNsure Executive Director April Todd-Malmlov said.
She said the employee sent the email without it being encrypted and stored it in the wrong place on the computer, violations of MNsure policy. Todd-Malmlov would not say if the employee was fired.
“The news was deeply unwelcome,” Norrgard said.
However, he added, the good news is that MNsure officials reacted quickly. “I appreciate the transparency that staff has shown.”
Todd-Malmlov said the incident was not related to a website that Minnesotans will be able to use to compare and buy health insurance.
State legislators and Gov. Mark Dayton established MNsure earlier this year to meet a federal health-care law requirement that requires Americans to be able to compare and buy health insurance online. MNsure also will allow Minnesotans to check and buy policies via telephone and in person.
MNsure’s Web site is to go live Oct. 1, allowing Minnesotans to look into a variety of policies. They may sign up for policies beginning then, but the policies would not begin until Jan. 1.