Daily Caller News Foundation

Audit: Minnesota Obamacare exchange lacks basic security

Months after sending 2,400 Social Security numbers to the wrong person, an audit of the Minnesota Obamacare exchange, MNsure, found that it lacked any proper security and privacy measures.

“MNsure did not adequately secure private data residing on its internal computer network,” and “relied on data security and privacy training that may not have been adequate,” an audit of the incident by the Minnesota Office of the Legislative Auditor concluded.

Before the state-run Obamacare exchange even launched, a MNsure employee accidentally sent an email containing the confidential information of 2,400 insurance brokers, including Social Security numbers, to the wrong recipient.

The simple Microsoft Excel spreadsheet was filled with unencrypted, unprotected private data belonging to insurance agents that signed up to sell Obamacare coverage once the exchange launched on Oct. 1.

The recipient was Jim Koester, an insurance agent applying to MNsure to become an Obamacare navigator. Koester quickly alerted the exchange and all precautions were taken to delete the information.

The employee who mistakenly sent the data was fired, despite the audit’s finding that all proper protocols were followed. The insurance agents whose private information was leaked were given a year’s worth of identity protection, according to the Miami Herald, in the hopes that the risk for harm would fade.

Still, Koester was shocked by how easy it was to leak the information — weeks before any consumers had input their own information on the website. “What if this had fallen into the wrong hands,” he wondered to the Minnesota Star Tribune. “If this is happening now, how can clients of MNsure be confident their data is safe?”

Though the state auditor found “no evidence of malicious intent” in the data leak, they did conclude that not only were data security and organization measures insufficient, MNsure never need the data in the first place.

The sensitive information was “not needed for MNsure to fulfill its responsibilities,” according to the audit, and the risk incurred by the insurance agents signing up to help was unnecessary.

Even though there was no need for it, the exchange collected the personal data “using e-mail without fully assessing and mitigating the risks involved,” the audit noted “and without considering a more secure and efficient alternative.”

The state has not reported any further data breaches, but exchanges officials’ lax attitude toward data security for insurance brokers may be a cause of concern for Minnesota customers, who provide even more private data to MNsure when purchasing coverage.

MNsure and federal Obamacare regulations require that customers applying for coverage on the exchange input personal employment, financial and demographic information, as well as health-status information related to both pregnancy and tobacco use.

No data security breaches have been reported since MNsure launched Oct. 1, but concerns regarding the privacy and security of information put into online Obamacare marketplaces have been raised after some exchanges included disclaimers that refuted the privacy of any information put into the system.

Follow Sarah on Twitter and Facebook

Content created by The Daily Caller News Foundation is available without charge to any eligible news publisher that can provide a large audience. For licensing opportunities of our original content, please contact licensing@dailycallernewsfoundation.org.