In-house flaws faulted in MNsure data breach

The state's Office of the Legislative Auditor said Thursday that a privacy breach at MNsure involving 1,600 Social Security numbers was unintentional but that slack internal procedures at the new health insurance exchange agency "contributed directly" to the disclosure.

In a 13-page report, Legislative Auditor Jim Nobles found "no evidence of malicious intent" by an employee who accidentally sent an e-mail attachment to an insurance broker on Sept. 12 that contained Social Security numbers and other data on insurance brokers.

The report found that MNsure acted quickly and lawfully to address the privacy breach, which was first reported by the Star Tribune. The employee who sent the e-mail is no longer working at MNsure.

The report spoke more harshly of MNsure operations and procedures, finding that collecting Social Security numbers wasn't necessary in the first place and that the agency didn't adequately secure the private data or mitigate the risks involved in collecting it.

The report offers no judgment on MNsure's decision to terminate the employee, but it takes to task assertions by MNsure officials that the breach was an isolated mistake.

"This version of what happened overlooks a series of significant decisions made not by the employee who inadvertently disclosed private data but by others at MNsure," the report says.

MNsure said in a statement that it "takes data security extremely seriously, and generally agrees with the auditor's findings. The incident in question — which occurred before the online launch of MNsure — was caused by human error and was in no way related to the MNsure IT system."

MNsure said it has since reviewed privacy and security policy with its staff members and also hired an outside vendor to analyzed the incident and the factors leading to it.

In the late summer, MNsure began collecting brokers' agency names, e-mails, phone numbers, Social Security information and license numbers in an Excel spreadsheet to assemble what it called a "MNsure broker data roster." The spreadsheet was designed to keep track of brokers undergoing a training and certification process that would allow them to help individuals and small businesses shop for coverage on the MNsure website.

MNsure officials believed they had to collect Social Security numbers so that the brokers could get continuing education credits necessary to keep their brokers' licenses up to date through the Department of Commerce.

The investigation found that gathering Social Security information was not necessary and that, once collected, MNsure did a poor job of securing the data. It noted that, before the breach, several brokers had objected to transmitting such private information to MNsure in an unsecured e-mail.

"The mistake by a MNsure employee resulted in considerable concern and cost, largely because the disclosure included Social Security numbers connected to other personally identifying data," the report said.

"It is now clear that if MNsure had adequately vetted the decision to collect Social Security numbers, those negative consequences would have been avoided."

The Legislative Auditor also faulted MNsure for a "questionable" level of staffing to handle the certification process, by assigning too few employees to direct the process.

"The result appears to be a stressed work environment in which key goals were not achieved in time for MNsure's opening date on Oct. 1, 2013."

When MNsure launched last month, it was still dealing with a backlog of requests by brokers, navigators and other "assisters" who were trying to get certified and who had hoped to be listed on the site as a consumer resource.

To read the full report: http://www.auditor.leg.state.mn.us/fad/pdf/fad1327.pdf

Jackie Crosby • 612-673-7335