Sponsored By
An organization or individual has paid for the creation of this work but did not approve or review it.



Probe: MNsure data breach was unintentional

ST. PAUL, Minn. -- An investigation by the Minnesota Office of the Legislative Auditor has found that a data breach at MNsure earlier this year was unintentional and that there was "no evidence of malicious intent."...

ST. PAUL, Minn. -- An investigation by the Minnesota Office of the Legislative Auditor has found that a data breach at MNsure earlier this year was unintentional and that there was "no evidence of malicious intent."

But the report also said that MNsure made a series of critical decisions that made personal information connected to 1,500 Minnesota insurance brokers vulnerable to a breach. Fast-moving timelines, not enough workers and inadequate data security are all to blame, the report said.

"Our findings demonstrate that what occurred was more than 'an HR issue' involving one employee," the report states, rebutting one characterization by MNsure's executive director.

Critics of MNsure have long said data security -- whether it's broker, insurer or customer information -- is among their chief concerns about the new website.

In September an agency employee whose job was to assist insurance agents who wanted to help people enroll in health coverage through MNsure accidentally sent the personal information of 1,500 brokers, including their Social Security numbers, to another agent.


"We found no evidence that what occurred was anything other than a mistake, and no evidence that there was any reason the employee would have intentionally shared the MNsure Broker Data Roster with the broker who received it," the Legislative Auditor's report said.

MNsure personnel also acted quickly to address the situation, according to the report.

The agency immediately alerted brokers that their information had been disclosed. MNsure has offered to pay for one year of identity protection for each broker involved in the data breach, according to the report.

MNsure also fired the employee who sent the errant email.

"We are satisfied that MNsure staff and officials acted quickly to mitigate the impact of the unauthorized disclosure of private data," the report said.

But the report still has plenty of criticism of the agency running the state's new online insurance marketplace. "MNsure officials made decisions that contributed directly to the disclosure of private data," the report said.

The auditor's office said MNsure required brokers and agents to turn over sensitive data the agency did not need, and then failed to ensure the data were secure.



Over the course of the summer, MNsure received a great deal of interest from insurance brokers interested in being certified to help their clients with the online marketplace.

But the investigation found that MNsure did not hire enough workers early enough to handle the interest.

"The result appears to be a stressed work environment in which key goals were not achieved in time for MNsure's opening date on October 1, 2013,"the report said.

The Legislative Auditor also questioned why MNsure was collecting broker Social Security numbers in the first place -- a piece of information that was not necessary to certify insurance agents.

MNsure's decision to collect Social Security numbers may have stemmed from a misunderstanding with the Minnesota Department of Commerce.

MNsure officials were under the impression that that information was required to access a national registry of brokers typically used by the commerce department.

"I did send that roster over to the Department of Commerce, requested that they vet the roster and let us know does this look OK," according to an interview with the manager of the MNsure broker team.

"[Commerce] had some edits on the front page, but no comments about the Social Security number."


The report said that had MNsure "adequately vetted the decision to collect Social Security number, those negative consequences would have been avoided."


The Legislative Auditor also questioned why MNsure was using unsecured email to gather personal information from brokers.

According to the report, MNsure employees must manually encrypt emails sent to people outside state government.

But that wasn't done to gather personal information from brokers, according to the investigation.

When asked why MNsure officials didn't set up a secure website to collect agent data, MNsure's broker manager said their aim was get the certification process done early, so they opted for email instead.

"If we had knowledge of [a secure website] or perhaps done more assessment of the tools available to us, that would have been a preferred option, it sounds like," the broker manager told the Legislative Auditor.

Though MNsure employees are required to pass data security courses, the Legislative Auditor questioned if they were rigorous enough in the first place.

The auditor's report also makes a point of saying insurance industry officials objected to MNsure's practices.

"[R]epresentatives of insurance agents and brokers told us that, before the disclosure of private data occurred, they had raised objections to MNsure requiring Social Security numbers as part of the certification process, as well as to the use of unsecured e-mail for the transmission of private data," the report said.


MNsure officials said they generally agree with the findings in the Legislative Auditor's report and underscored that the data breach was an isolated incident that has nothing to do with the online insurance marketplace consumers are using to buy coverage.

"We have since conducted work station-by-work station reviews for privacy and security policy compliance, conducted in-person data privacy and security training sessions with staff, and engaged an outside vendor to perform a root cause analysis of the incident and the factors leading up to it," MNsure Executive Director April Todd-Malmlov said.

"MNsure appreciates and values the thorough examination of this incident and are committed to taking measures to ensure one like it does not occur in the future," she said.

Related Topics: TECHNOLOGY
What To Read Next
Josh Sipes was watching an in-flight movie when he became aware the flight crew were asking for help assisting a woman who was experiencing a medical problem.
Nonprofit hospitals are required to provide free or discounted care, also known as charity care; yet eligibility and application requirements vary across hospitals. Could you qualify? We found out.
Crisis pregnancy centers received almost $3 million in taxpayer funds in 2022. Soon, sharing only medically accurate information could be a prerequisite for funding.
The Grand Forks Blue Zones Project, which hopes to make Grand Forks not just a healthier city but a closer community, is hosting an event on Saturday, Jan. 21, at the Empire Arts Center from 3-5 p.m.