An audit of the Health Insurance Exchange of Connecticut, Access Health CT, by the state auditor showed that Access Health CT encountered 44 data breaches during the last 3.5 years and failed to fully report them and that it didn’t take sufficient steps to secure sensitive information.
The Connecticut Health Insurance Exchange serves as a medical insurance marketplace to lessen the number of state locals who do not own health insurance and to help low-income people get Medicaid coverage, as mandated under The Affordable Care Act.
Though Access Health had submitted the data breach reports to the Department of Health and Human Services, as per the HIPAA rule, and notified the state attorney general, the breaches were not reported to the state auditor and comptroller. The state law requires the Connecticut Health Insurance Exchange to alert the Auditors of Public Accounts and the State Comptroller right away if a security breach is identified.
A lot of data breaches were little incidents, with many of the breaches (34) affecting Faneuil Inc, a contractor based in Hampton, VA, which manages the Access Health CT support services. Many of those breaches concerned an individual’s information or the information of persons in the same family and were usually admin problems and password reset errors.
The 34 data breaches affected some 49 different people. The remaining 10 data breaches were distributed among 5 various contractors. The most significant breach was due to a phishing attack, wherein the details of 1,100 persons was possibly affected.
Aside from not reporting the breaches, the auditors determined that Access Health didn’t take adequate steps to make sure the confidentiality, security, and integrity, of client files, specifically taking into consideration that 34 data breaches had taken place at one contractor. There are demands to carry out controls to make sure the confidentiality, integrity, and security of sensitive records in state and federal rules.
The auditors reported there were determined internal control insufficiencies, scenarios of non-compliance with laws, regulations, and policies, and a requirement for development in practices and procedures that call for the focus of management. The auditors additionally identified that the procurement policy for providers didn’t have the specific conditions to identify the right reasons for awarding sole-source deals.
Access Health CT explained the breaches were reported yet were not filed with the state auditor and comptroller as it did not know the breach reporting demands in the state. Access Health CT confirmed the advice made in the report and stated third-party providers are helping with the enactment of a new risk management structure, which will give complete visibility and tracking of compliance with the information security prerequisites of state and federal regulations. Access Health CT mentioned it is additionally conditioning its internal purchasing policies and procedures and will be modifying its contract procurement guidelines.