A legislative committee overseeing MNsure, Minnesota's new online health insurance exchange, was on the defense at a Tuesday hearing over a security breach.
The MNsure Legislative Oversight Committee met at the Capitol on Tuesday morning to discuss next steps after a former employee at the agency mistakably emailed a document containing the private information of 1,600 insurance agents -- including addresses, drivers license information and Social Security numbers.
MNsure executive director April Todd-Malmlov said that the breach was not related to the IT data system consumers will use to sign up for insurance, which she contends will be the most secure in the state. Instead, she said simple human error and a few strokes of a keyboard were the cause.
The former employee, who has not been identified, was storing the personal information on a computer desktop and it was not encrypted, MNsure officials said.
Todd-Malmlov also confirmed at the hearing that MNsure did not need the broker's Social Security data information that was disseminated.
Yet, the breach led to hard questions from skeptical lawmakers and brokers whose information was compromised.
"You know, one of my questions is: Why was this data stored on a desktop and why was it not encrypted -- and is it encrypted now?" Bill Haas, of Haas Managed Benefits, asked.
MNsure will now perform a workstation-by-workstation review of its computers.
Minnesota legislative auditor Jim Nobles told the Oversight Committee that he'll be conducting a complete IT audit of MNsure, and that a third-party analysis will also be completed. So far, Nobles' investigation has already interviewed the employee who sent the e-mail under oath -- but he said he has already determined that the state practices need a thorough review.
"This is still going on at MNsure and throughout state government every day -- the use of the e-mail system to transmit communication and possibly unsecured data," Nobles said. "We need to take a really hard look at that."
Chief IT officer Chris Buse said an independent review of 232 security controls within the MNsure online exchange shows it meets federal standards and, according to Buse, boasts the best model in the state.
"This is an HR issue that we've fixed and we've moved on," MNsure board chairman Brian Beutner said during the hearing.
Minnesota is launching an online health insurance marketplace in compliance with the Affordable Care Act that requires every citizen to carry health insurance starting Jan. 1, 2014.
Minnesotans can enroll Oct. 1, but Todd-Malmlov said the site will not go live if there's a "smoking gun" regarding a security risk to the website.
Learn more about MNsure: http://bit.ly/15pmiRz