Lawmakers Told Of 'Privacy Incidents' On Health Insurance Exchange
The Shumlin administration has alerted lawmakers to a series of privacy breaches on the state’s new health insurance exchange. But a top administration official says the incidents should not undermine public confidence in the security of the website.
Mark Larson, commissioner of the Department of Vermont Health Access, said in a memo (PDF) sent to top legislators Tuesday that the state has had seven privacy incidents since Dec. 22.
Unlike some of the high-profile security breaches in the news of late, Larson says the incidents didn’t involve an outside attack by malicious hackers seeking Vermonters’ personal data.
“These are all isolated incidents involving no more than two Vermont Health Connect users,” Larson said Tuesday evening. “We take them very seriously and have responded to each one of them to make sure the situation is remediated.”
Larson says the state has reported each incident to the federal government, and says the Centers for Medicare & Medicaid Services has closed each case based on the administration’s response.
“I don’t believe that they should cause Vermonters not to feel confident in gaining coverage through Vermont Health Connect,” Larson said.
Larson’s memo details seven privacy incidents that occurred between Dec. 22 and Jan. 24. Many involve incidents in which personal data belonging to one Vermont Health Connect user was wrongly shared with another consumer that had the same name.
Larson came under fire late last year for failing to disclose a previous privacy breach to lawmakers. That incident occurred in late October, and involved the inadvertent disclosure of one consumer’s social security number.
Darcie Johnston, executive director of Vermonters for Health Care Freedom, a group opposed to the Shumlin administration’s health care reform agenda, says the latest incidents are symptomatic of more widespread security problems on the exchange.
“It continues,” Johnston said Tuesday evening. “The most telling thing is that they have failed to mitigate the problem. From the first known breach in late October to now, they continue to ignore the problem.”