The Connecticut Auditors of Public Accounts have issued a report critical of the the state’s official health insurance exchange marketplace, including over a breach of security of clients’ personally identifiable information.
The exchange, which works as a marketplace that serves about 130,000 state residents, incurred 51 breaches of clients’ personally identifiable information, with one breach affecting 160 clients, according to the auditor’s report.
Further, the exchange did not report three of the breaches to the Auditors of Public Accounts and the State Comptroller,” the auditors found in the report.
The auditors noted that state law requires that all quasi-public agencies notify the auditors and state comptroller of any breach of security.
Also, federal regulations require “state exchanges to protect personally identifiable information with reasonable operational, administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access,” according to the auditors.
The auditors also reported that “the exchange did not take sufficient actions to ensure the confidentiality, integrity, and security of client data when one of its contractors incurred 14 of the breaches.”
“The exchange experienced 51 breaches of client data from July 2021 through April 2023. The breaches were incurred at the exchange and five of its contractors,” the report said. “Breaches of data increase the client’s risk of identity theft, medical insurance abuse, and financial fraud. The exchange incurred costs of one-year security monitoring for clients who experienced a breach,” the auditors reported. The exchange did not comply with state law, the report said.
“This finding has been previously reported in the last audit report covering the fiscal years 2018 through 2019,” the report said.
Access Health CT CEO James Michel in an emailed statement acknowledged “a recent audit of Access Health CT for fiscal years 2020 and 2021 included a finding regarding compliance with data protection and certain statutory breach reporting requirements.
“AHCT recognizes the importance of strong information security controls and has policies and processes in place to prevent disclosure of consumer information,” Michel said.
“In case of an inadvertent disclosure, affected customers are immediately notified, and offered credit monitoring and identity theft protection services,” he said..” AHCT complies with all breach reporting requirements, including notification to the Auditors of Public Accounts and the State Comptroller.”
Michel also said that, to improve security of customer data, “AHCT conducts annual privacy and security training for employees and contractors and requires vendors to train their staff to comply with all AHCT policies.”
Senate Republican Leader Stephen Harding and Insurance and Real Estate Committee Ranking Senator Tony Hwang, called what was found in the report “completely unacceptable.”
“When a government agency has a data breach impacting the people of Connecticut, the public has a right to know. These breaches expose citizens to identity theft, insurance abuse, and fraud,” the lawmakers said in a joint statement. “This audit found that the Exchange did not implement sufficient internal controls to prevent breaches of client data and failed to report breaches in certain cases. We urge officials at the Exchange to seriously reevaluate its operations to ensure adequate protection of data and the transparency of information related to any data breaches.”
The lawmakers also noted that Hwang was appointed to serve on the Cybersecurity Task Force, but the panel was never convened due to a lack of appointed members.
The auditors also reported that the Exchange response to them included that the agency recognizes “the importance of strong information security controls especially given the sensitive nature of data the Integrated Eligibility System processes and stores. The Exchange monitors vendor compliance with security requirements and has implemented additional protocols to monitor compliance and improve vendor security practices.”
The auditors also said the Exchange response included that in 2023 it “amended its vendor agreement with its call center vendor to add additional breach reporting requirements as well as new penalties for breaches caused by the vendor. In addition, the Exchange requires any vendor causing a breach to cover the cost of security monitoring for clients who experienced a breach and requires vendors to maintain sufficient liability insurance in case of a breach.”
Further, the auditors said, the Exchange told them it “has notified the Auditors of Public Accounts and the State Comptroller of any breach of security since 2021 when it became aware of this additional reporting requirement.”
The auditors also found the Exchange had “inadequate overtime monitoring,” and “weakness in purchasing process,” among other findings.
The report says that in its review of 25 expenditures, 15 credit card transactions, and 10 contracts, the noted that the exchange:
- Received services prior to the approval of ten purchase orders totaling $1,816,299.
- Lacked price quotations for three contracts totaling $151,080.
- Purchased unallowable goods and services for eight credit card transactions totaling $15,606.
- Lacked purchase orders for six credit card transactions totaling $11,240.
- Lacked Form W-9 for six credit card transactions totaling $9,743.
- Lacked expense forms for six credit card transactions totaling $11,361. • Lacked an invoice for one credit card transaction totaling $2,590.
On the auditors’ finding of late and missing reports that “appear to be the result of staffing changes and a lack of management oversight,” the Exchange responded, also according to the report:
“This finding was noted in 2020 during the prior audit. The untimely filing of certain reports was an oversight due to staffing changes and all delinquent reports were filed while the FY18 and FY19 audit was Connecticut Health Insurance Exchange 2020 and 2021 15 being completed. The quarterly accounting close process was enhanced to include these reports, and the Exchange filed all annual and quarterly reports within a reasonable time period.
“Reports with June 30 dates require more time as the Exchange must wait for completion of audited financial statements from its independent auditors in the final quarter of the calendar year. The Exchange provides regular reports to its Finance Committee and board of directors on its finances, including the value of all funds in its reserves as well as interest earned on these funds.”
This post was originally published on 3rd party site mentioned in the title of this site