HIX failed to report dozens of breaches, audit finds
Photo: Burst/Pixels
A recent audit found that a Connecticut health insurance exchange failed to report dozens of data breaches between July 2017 and March 2021 to the Auditors of Public Accounts and the State Comptroller.
The report, released this past month, said the exchange did not take "sufficient actions" to ensure client data security.
"Breaches of data increase the client’s risk of identity theft, medical insurance abuse, and financial fraud.
"The exchange incurred costs of two-year security monitoring for clients who experienced a breach," said the Auditors of Public Accounts report.
WHY IT MATTERS
As outlined in the report, the Connecticut Health Insurance Exchange, which does business as Access Health CT, was created as a state-based health insurance marketplace in accordance with the Affordable Care Act.
Its goal, said auditors, is to reduce the number of uninsured individuals in Connecticut. However, auditors found that many of those individuals' data could have been potentially exposed.
From July 2017 through March 2021, the exchange experienced 44 breaches of client data – including 34 from a single contractor, reported by local outlets to be call center vendor Faneuil Inc.
The remaining 10 breaches stemmed from five other entities.
Although the organization relayed the incidents to the Attorney General, it did not do so to other agencies, as required by state law .
As noted by Hearst Connecticut Media's Mary Katherine Wildeman, the exchange has experienced the most breaches of any organization in the state over recent years. Access Health CT representatives did not respond to Healthcare IT News' requests for comment, although spokesperson Kathleen Tallarita told Wildeman most of the breaches were small.
However, at least one of the scams affected 1,100 clients, said the report.
"The Exchange recognizes the importance of strong information security controls especially given the sensitive nature of data the Health Insurance Exchange systems process and store," said the agency in a comment included in the auditor report.
"The Exchange monitors vendor compliance with security requirements and is implementing additional protocols to monitor compliance and improve vendor security practices," it continued.
"The Exchange requires any vendor causing a breach to cover the cost of two-years of security monitoring for clients who experienced a breach, and requires vendors to maintain sufficient liability insurance in case of a breach," it said.
"The Exchange complies with statutory reporting requirements, and will comply with additional reporting requirements," added the organization.
THE LARGER TREND
Healthcare organizations have faced stepped-up enforcement from government entities when it comes to protecting health information.
Just this past month, the HHS Office for Civil Rights hit two providers with five-digit settlements to address potential HIPAA Privacy Rule violations.
And in February, the State of Rhode Island Office of the Attorney General issued a civil investigative demand to UnitedHealthCare of New England after a security breach exposed the data of 22,000 individuals.
ON THE RECORD
"The Exchange is currently working with two third-party vendors to assist with the implementation of a Risk Management Framework to provide comprehensive visibility and oversight into compliance with information security controls," reported the Auditors of Public Accounts.
Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Email: kjercich@himss.org
Healthcare IT News is a HIMSS Media publication.