Audit finds MNsure data leak was accidental

The disclosure of insurance brokers’ private information by a MNsure employee was accidental but avoidable, according to a report from the Office of the Legislative Auditor (OLA) released Thursday afternoon. The audit looked into a highly publicized incident in September, when a health insurance exchange staffer sent an email that included a list of brokers as an attachment. Rather than sending a simple list, the employee included information submitted by about 1,500 brokers, including their names, addresses and Social Security numbers.

In an interview with OLA researchers, the MNsure employee, who has since been fired, said he or she understood the gravity of the mistake immediately.

“I couldn’t believe it,” the employee told OLA. “I was — I’m still in disbelief. I don’t know how — well, as I said, I didn’t know I could even possibly do that.”

The report goes on to commend MNsure for its response to the data leak, including the employee at fault, who contacted the broker who received the errant email, explained the situation and asked that the broker delete it. MNsure also notified the brokers whose information had been leaked, in keeping with the statutory requirement on disclosures of this nature. Soon after the event, executive director April Todd-Malmlov sent a letter of apology to the affected brokers.

In that letter, Todd-Malmlov also said MNsure would volunteer to pay for one year of identity theft protection for the people whose information was put at risk.

On another point, though, the OLA report faults MNsure for having collected so much information in the first place. The exchange did not actually need to collect brokers’ Social Security numbers, OLA found, and doing so increased the risk of a serious privacy breach. During the course of the audit, numerous brokers and their representatives contacted OLA to say they had objected to MNsure’s collection of Social Security numbers prior to the leak.

“The mistake by a MNsure employee resulted in considerable concern and cost, largely because the disclosure included Social Security numbers connected to other personally identifying data,” reads the audit.

MNsure stopped collecting Social Security numbers from registered brokers in late September, about two weeks after the initial email was sent.

The audit also criticizes the exchange’s decision to use email to collect information, rather than a safer option such as a secure website, and for failing to store private data in a more secure way: Each of MNsure’s roughly 70 employees could have obtained access to the roster of brokers, whether the list was pertinent to their job or not.

In a letter of response to the audit, Todd-Malmlov reiterated her regret at the lapse in data security.

“MNsure takes its obligation to protect private data very seriously, and [we] are working hard to regain and maintain the public’s trust in our organization,” she wrote.

Some Minnesotans might be harder to convince than others. In a statement following the OLA release, Sen. Michelle Benson, R-Ham Lake, said the leak exposed “serious flaws” in MNsure’s technology system.

“Minnesotans deserve to have the peace of mind knowing that their private information remains private and that they remain in the driver’s seat when making health care decisions,” Benson said.

Todd-Malmlov’s letter indicates that MNsure has brought on Minnesota Privacy Consultants to conduct an analysis of the accidental disclosure, and expects their work to be completed next month.