Privacy Breaches at Insurance Exchanges

Three Incidents Involve Consumers Getting Wrong Data

By , November 26, 2013.
Privacy Breaches at Insurance Exchanges

A privacy breach at the Vermont health insurance exchange involving "recycled" usernames resulted in an individual accessing the personal information of another applicant.

See Also: How to Identify Meaningful Alerts from the Security Noise

The revelation of the Vermont breach comes on the heels of several recent Congressional hearings that revealed the lack of end-to-end security testing at the federal HealthCare.gov website for Obamacare before it launched on Oct. 1 for open enrollment.

During one of those hearings, CMS officials said a glitch that resulted in a North Carolina consumer being able to access the information of a South Carolina consumer on HealthCare.gov site was "fixed immediately" after it was reported to the agency (see: CIO at CMS Stepping Down.)

In addition, the Associated Press reports that an applicant using Oregon's state insurance exchange, Cover Oregon, received in the mail a printout of her application with a letter instructing her to fill out some missing information. However, with the documents were also several pages of other individuals' applications.

Officials at Cover Oregon did not respond to Information Security Media Group's request for comment.

Vermont Incident

The breach report filed by Greg Needle, privacy officer of the Vermont Health Connect, to the Centers for Medicare and Medicaid Services, indicates that on Oct. 17, an individual contacted the exchange's call center regarding an application submitted online the week of Oct. 7. The individual stated he received by U.S. mail a non-return address envelope containing a print-out of the application he filled out online, which included his Social Security Number, address and other information.

On the back of the envelope and on the last page of the printed out application was a hand-written note that read, "Vermont Health Connect is Not a Secure Website."

The breach report notes: "VHC investigated immediately and determined that two accounts were linked via a recycled username and it was possible for a brief period of time that the two username holders could access the same information. It was also possible for a brief period one individual accessed the inadvertently shared account and was able to see and create screen shots of the other person's information."

The report also notes: "Only the one user account was created from the two linked usernames. VHC is still investigating but has determined that this recycling of passwords or linked user accounts was an isolated event."

The individual, according to the report "was contacted by VHC and was reassigned a new account access and assured their account was secured."

The privacy incident at Vermont Health Connect that was reported to CMS on Oct. 17 was "successfully closed" by CMS on Oct. 23, according to an internal VHC e-mail provided to Information Security Media Group by the VHC spokeswoman.

Potential Causes

Security experts say there are a variety of issues that may have contributed to the Vermont breach.

"My guess, without knowing more about this situation, is that the security problem involved some sort of internal account/file that was created by staff for a consumer," says Kevin Coleman, who heads research and data at HealthPocket, Inc., a technology and research firm that ranks health plans.

"Moreover, the description of the hard copy mail being sent to a consumer would also suggest this was some sort of internal/account file. If I am right, this could be a procedural problem, technical problem, or both," he says.

Coleman says software systems have IDs that normally prevent two identically named accounts from existing in the same file directory at the same time.

"This is software 101. If IDs can be recycled for user accounts then there should be a system to delete the prior account's information prior to the ID being available for recycling," he says. "Software systems are typically built to prevent those type of errors so you do not have to rely on training and monitoring of staff behavior."

Follow Marianne Kolbasuk McGee on Twitter: @HealthInfoSec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Police Disrupt Banking Malware Botnet

Authorities have disrupted a botnet that was serving up the Ramnit banking malware, which has...

Latest Tweets and Mentions

ARTICLE Police Disrupt Banking Malware Botnet

Authorities have disrupted a botnet that was serving up the Ramnit banking malware, which has...

The ISMG Network