Errant e-mail creates security breach at MNsure

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.startribune.com/business/223564521.html

A MNsure employee accidentally sent an e-mail file to an Apple Valley
insurance broker’s office on Thursday that contained Social Security
numbers, names, business addresses and other identifying information
on more than 2,400 insurance agents.

An official at MNsure, the state’s new online health insurance
exchange, acknowledged it had mishandled private data. A MNsure
security manager called the broker, Jim Koester, and walked him and
his assistant through a process of deleting the file from their
computer hard drives.

Koester said he willingly complied, but was unnerved.

“The more I thought about it, the more troubled I was,” he said. “What
if this had fallen into the wrong hands? It’s scary. If this is
happening now, how can clients of MNsure be confident their data is
safe?”

While MNsure officials said the mistake was quickly resolved and was
the first security breach, the incident highlights concerns of those
who have hounded the state for years about privacy issues surrounding
the online-based health insurance exchanges.

The new marketplaces are a key vehicle for implementing the federal
health law, often called Obamacare. Small-business owners as well as
individuals younger than 65 are expected to begin using the health
exchanges Oct. 1 to comparison-shop among various health insurance
options.

Users of the exchange will need to provide sensitive information,
including Social Security numbers, that will be sent to a federal hub
to verify such things as citizenship and household income. This
information will determine whether consumers using MNsure qualify for
public health programs or tax credits that will lower the cost of
premiums.

All states and the federal government, which also is setting up
exchanges for some states, are scurrying to get the complex system
running in less than three weeks.

“The people who believe in this are so driven that there’s a
subcontext of ‘Just let us do our job and get as many people signed up
as possible, and we’ll pick up the debris later,’ ” said Steve
Parente, a University of Minnesota finance professor who specializes
in health IT issues.

Parente testified on Capitol Hill earlier this week, urging caution in
pushing the federal hub online before it has been thoroughly tested.

Working with digital data “is a convenient and simple convention to
move things along,” Parente said. “But the downside is that it can
have unintended consequences. It takes time to parse and curate and
edit. You can’t do that if you’re in a rush.”

A MNsure official issued a statement saying that the state will notify
all of the brokers that their private data had been disclosed.

“MNsure takes this incident extremely seriously,” the official said.
“While it appears that this incident was accidental, MNsure will
conduct a thorough investigation to fully understand the nature of the
incident. MNsure has a data privacy policy in place, and this
employee’s action was a violation of this policy.”

Koester, the agent, had been working with MNsure staff because he was
having trouble registering for classes to get trained as a certified
“navigator” to help people sign up for coverage.

Koester said there had been some back-and-forth with a MNsure staffer
when he received an e-mail and attachment that took him by surprise:
page after page of names, business addresses, license numbers and
Social Security numbers.

MNsure was collecting Social Security numbers so that the Department
of Commerce could count the navigator’s training as part of the
brokers’ state-mandated continuing eduction credits, according to the
officials.

As soon as the MNsure staffer realized the mistake, she called Koester
to ask him and his assistant to delete the file. MNsure manager Krista
Fink followed up with more detailed instructions.

“She didn’t tiptoe through the tulips; she was very serious,” Koester
said. “But the gorilla in the room is that they sent me something
that’s not even encrypted. It’s unsecured, on an Excel spreadsheet —
which is using outdated technology to transfer that information in the
first place. They’ve got to realize they have a huge problem.”
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.