MNsure Parts Ways with Employee in Security Breach

Updated: 09/25/2013 12:55 PM By: Scott Theisen

An employee of Minnesota's health insurance exchange no longer works there after releasing private information about insurance agents.
MNsure executive director April Todd-Malmlov told the agency's board of directors Friday that the employee violated internal policy by storing unencrypted personal information about Minnesota insurance agents on a computer desktop.
Todd-Malmlov said human resources requirements prevent her from revealing whether the employee was fired or transferred to another state agency.
Last week, the worker inadvertently emailed information including Social Security numbers to an insurance agent in Burnsville, prompting MNsure officials to quickly secure the information and alleviate concerns about privacy of personal information as they prepare to deliver health care to Minnesota residents under the federal overhaul.
The agency said the private information pertained to about 1,600 agents, not 2,400 as originally reported. A memo to board members said some of the names on an initial list were duplicates.
When the mistake came to light, MNsure security officials worked with the agent who received the email to make sure he deleted it permanently from his computer.
Todd-Malmlov said MNsure employees dealing with classified data received specific training and had to pass a test in order to get access to the data.
MNsure is now conducting what Todd-Malmlov described as a "unit by unit, workstation by workstation" review to make sure that all employees are following security policies and procedures. The agency will also seek an independent review to identify contributing factors and identify policies or procedures that could prevent similar incidents in the future.
MNsure board member Phil Norgaard said he was confident that what happened was "a human resources problem, not necessarily an IT problem."
Todd-Malmlov also stressed that none of the information accidentally released had been entered through MNsure's customer portal, which goes live Oct. 1.
Kathryn Duevel, another board member, said she wants the agency to take steps to make sure that prospective MNsure customers can be confident their personal information is safe when they enroll.
"We have to give people reassurances that they can feel comfortable applying for MNsure," Duevel said. "Because they're going to be understandably worried."
A legislative panel that oversees MNsure's operations is meeting Tuesday to further discuss concerns raised by the security breach.

St. Paul- Rep. Peggy Scott (R-Andover) released the following statement:
“Notably absent at today's MNsure Board meeting was any sort of apology to the Minnesotans whose personal information was violated. Worse yet, we received no assurance that Democrats’ Insurance Exchange will be able to keep personal information private in the future. Today's meeting only raised more questions about MNsure's lack of data security procedures," said Rep. Scott. “I’m anxiously awaiting the Legislative Auditor's investigative report on this incident and I renew my request for Governor Dayton to get off the sidelines and provide answers.”

Statement from Senate Republican Leader David Hann (R- Eden Prairie):
“The MNsure Board of Directors meeting offered no new answers to the question that thousands of Minnesotans have. Will my privacy be protected?  It's abundantly apparent that even after spending over $150 million on a website and not one cent on checkups for kids, preventative care for seniors, or cancer screenings for moms, MNsure still isn't ready to meet its timeline. Governor Dayton must provide leadership and demand results before it is too late. Republican leaders will continue to advocate on behalf of hardworking Minnesotans to ensure their privacy is protected and our uninsured are receiving the care they deserve.”

(Copyright 2013 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.)