The health exchange that facilitates the purchase of Obamacare plans for Connecticut residents should do more to safeguard its clients’ personal data, a recent state audit found, and also failed to report dozens of security lapses to state authorities.
Personal information was lost in 44 breaches at Access Health CT between July 2017 and March 2021, including a phishing scam that affected 1,100 people, according to the early March report from the Auditors of Public Accounts. But these lapses were not reported to the auditor or the state Comptroller’s Office, which is required by law, according to the audit.
State Auditor John Geragosian said his office reviewed Access Health CT’s information security policies and found need for improvement.
“Internal controls were not adequate to prevent the breaches of client data,” he said in a statement.
The office recommended Access Health CT beef up its security practices, and noted in the audit report “the exchange did not take sufficient actions to ensure the confidentiality, integrity, and security of client data.”
Meanwhile, the exchange has reported experiencing the most breaches of any organization, private or public, in Connecticut over recent years, according to a review of data from the state Attorney General’s Office shared with Hearst Connecticut Media.
Of 44 data breaches auditors found — which were reported to the Attorney General as required but not to other state authorities — Access Health CT’s call center vendor, Faneuil Inc., was responsible in 34 cases. The organization, also called the Connecticut Health Insurance Exchange, is a private enterprise but is regulated by a state-appointed board; it does not receive any direct state funding.
Faneuil continues to operate Access Health CT’s call center. And three more breaches involving the call center vendor have been reported so far this year.
Faneuil declined to comment on the breaches and the audit findings, directing all questions to Access Health CT.
In a statement, Kathleen Tallarita, spokeswoman for the agency, explained most of the breaches in question are small, affecting one consumer at a time.
Access Health CT also hired an outside cybersecurity firm, Stamford-based JANUS Associates, to help put in place a stronger information security framework, Tallarita said. She added that any vendor responsible for a breach is required to pay for the affected client’s security monitoring, including Faneuil.
“The exchange monitors vendor compliance with security requirements and has implemented additional protocols to improve security practices at Faneuil and to monitor their compliance,” she said.
In total, Access Health CT reported about 110 breaches between 2013 and 2020, more than any other organization inside or outside Connecticut, Attorney General office data shows. It is not clear from the data whether an Access Health CT employee or one of its vendors was involved in each of the lapses.
The call center at Access Health CT has had repeated issues with accidentally linking the wrong personal information to other people’s online accounts, according to the reports Access Health CT filed with regulators disclosing the loss of client information.
The reports, which did not point out any malicious intent in the losses of private data, detail how call center representatives have mistakenly given access of personal information to different clients by adding people to the wrong accounts.
In a recent breach reported on Jan. 28, for example, the mistake was discovered when a client called the center to let them know she could view someone else’s private data.
Faneuil secured its contract to manage Access Health CT’s customer support in 2016. The contract was renewed in 2019 and again in August, according to the organization’s financial statements.
Though Access Health CT has said most of the breaches it reports involve just one person, the health insurance exchange has also not been immune to outside attacks that expose the information of more people. Geragosian said a phishing scam involving an Access Health CT employee in October 2019 also went unreported to the auditor and Comptroller’s offices. Faneuil also experienced a ransomware attack in Aug. 2021, according to documents shared by the auditor’s office.
Access Health CT handled about 573,000 inquiries from state residents during 2021, including through its call center, according to the organization’s latest annual report.
The pandemic’s effects — including increases in the ranks of the unemployed and new financial relief from aid packages — pushed more people to seek out Affordable Care Act plans and use Access Health CT’s services. By the end of 2021, enrollments were up by 7%.
