Access Health CT's website

It wasn’t until state auditors were about to finalize their report that Connecticut’s health insurance exchange presented them with the corrective action plan for a potential security breach that happened in June 2014.

“They never produced it until the very end,” Robert Ward, one of the state auditors, said Tuesday.

Connecticut’s health insurance exchange, known as Access Health CT, is the quasi-public agency created to oversee the state’s implementation of the Affordable Care Act and to help facilitate the purchase of health insurance.

Last year, a call center representative lost a backpack with the names and Social Security numbers of clients or potential clients on a Hartford street. The backpack ended up at the office of a state lawmaker and Hartford Police investigated the matter, but no criminal charges were ever filed against the employee. Maximus, the vendor that employed the call center representative who lost the backpack, and Access Health CT promised changes as a result of the incident.

Following the incident last June, the exchange hired a third-party security consultant to perform a security assessment. The exchange provided copies of that assessment to auditors.

“The third-party security expert noted several deficiencies in the security of the exchange,” auditors said in their report. “In addition to several findings and recommendations related to the physical security of the buildings and information assets, the security expert includes several observations related to the security environment.”

Interviews with other call center representatives led the security expert to conclude that “there appeared to be a lack of security training, awareness, and responsibilities because, when most interviewees were asked about critical assets, high-risk or sensitive areas, and physical security, interviewees referred to another person/department as having responsibility,” according to the audit.

Ward said the corrective action plan that the exchange finally shared with them was deficient. He said the leadership of the exchange decided it wasn’t going to implement certain recommendations due to cost, however, it never provided a cost-benefit analysis. So it’s unclear why those decisions were made.

“Secondly, there wasn’t a formal review of what they did to review the corrective action plan,” Ward said.

He said he’s not suggesting there is presently a huge risk to losing personally identifiable information, but rather that robust security measures need to be in place.

“The Connecticut Health Insurance Exchange should develop a management control system that holds the organization accountable for responding in a timely manner to reported deficiencies in the security of the Exchange, in order to provide assurance that the PII [Personally Identifiable Information] in its possession is secure,” the audit states.

In response to the auditor’s findings, the exchange said that it “has taken many steps to improve security.”

The exchange said the call center vendor has made changes to its physical security and leased separate, more secure office space in the same building for its Issue Resolution Department, which deals with consumers and handles personally identifiable information.

Employees also are required to complete an annual information technology training course and the agency is contracting with a security vendor to provide a full security audit of its offices and the state server facility in Groton where its data is stored.

The state auditors also were critical of the exchange’s posting of meeting minutes. It found the quasi-public agency took several months, in one instance, to post meeting minutes when state law requires them to be posted in seven days. The exchange argued that the minutes were drafts until the following meeting when they could be voted upon, but agreed in the end to post the minutes in draft form in the future.

Auditors also found that board members did not post the required $50,000 non-surety bond.

Instead the exchange procured a “faithful performance” rider to its crime insurance in lieu of the required bonds. The Attorney General’s office is determining the legal sufficiency of the amended insurance policy.