The well being trade that facilitates the acquisition of Obamacare plans for Connecticut residents ought to do extra to safeguard its purchasers’ private information, a current state audit discovered, and likewise did not report dozens of safety lapses to state authorities.
Private info was misplaced in 44 breaches at Entry Well being CT between July 2017 and March 2021, together with a phishing rip-off that affected 1,100 folks, in line with the early March report from the Auditors of Public Accounts. However these lapses weren’t reported to the auditor or the state Comptroller’s Workplace, which is required by legislation, in line with the audit.
State Auditor John Geragosian stated his workplace reviewed Entry Well being CT’s info safety insurance policies and located a necessity for enchancment.
“Inside controls weren’t ample to forestall the breaches of consumer information,” he stated in a press release.
The workplace really useful Entry Well being CT beef up its safety practices, and famous within the audit report “the trade didn’t take enough actions to make sure the confidentiality, integrity, and safety of consumer information.”
In the meantime, the trade has reported experiencing essentially the most breaches of any group, personal or public, in Connecticut over current years, in line with a evaluate of knowledge from the state Legal professional Common’s Workplace shared with Hearst Connecticut Media.
Of 44 information breaches auditors discovered — which had been reported to the Legal professional Common as required however to not different state authorities — Entry Well being CT’s name middle vendor, Faneuil Inc., was accountable in 34 circumstances. The group, additionally referred to as the Connecticut Well being Insurance coverage Trade, is a personal enterprise however is regulated by a state-appointed board; it doesn’t obtain any direct state funding.
Faneuil continues to function Entry Well being CT’s name middle. And three extra breaches involving the decision middle vendor have been reported up to now this yr.
Faneuil declined to touch upon the breaches and the audit findings, directing all inquiries to Entry Well being CT.
In a press release, Kathleen Tallarita, spokeswoman for the company, defined many of the breaches in query are small, affecting one shopper at a time.
Entry Well being CT additionally employed an outdoor cybersecurity agency, Stamford-based JANUS Associates, to assist put in place a stronger info safety framework, Tallarita stated. She added that any vendor answerable for a breach is required to pay for the affected consumer’s safety monitoring, together with Faneuil.
“The trade screens vendor compliance with safety necessities and has applied extra protocols to enhance safety practices at Faneuil and to watch their compliance,” she stated.
In complete, Entry Well being CT reported about 110 breaches between 2013 and 2020, greater than some other group inside or outdoors Connecticut, Legal professional Common workplace information exhibits. It isn’t clear from the information whether or not an Entry Well being CT worker or one in all its distributors was concerned in every of the lapses.
The decision middle at Entry Well being CT had repeated points with unintentionally linking the fallacious private info to different folks’s on-line accounts, in line with the Entry Well being CT reviews filed with regulators disclosing the lack of consumer info.
The reviews, which didn’t level out any malicious intent within the losses of personal information, element how name middle representatives have mistakenly given entry of private info to totally different purchasers by including folks to the fallacious accounts.
In a current breach reported on Jan. 28, for instance, the error was found when a consumer referred to as the middle to allow them to know she may view another person’s personal information.
Faneuil secured its contract to handle Entry Well being CT’s buyer assist in 2016. The contract was renewed in 2019 and once more in August, in line with the group’s monetary statements.
Although Entry Well being CT has stated many of the breaches it reviews contain only one individual, the medical insurance trade has additionally not been proof against outdoors assaults that expose the data of extra folks. Geragosian stated a phishing rip-off involving an Entry Well being CT worker in October 2019 additionally went unreported to the auditor and Comptroller’s workplaces. Faneuil additionally skilled a ransomware assault in Aug. 2021, in line with paperwork shared by the auditor’s workplace.
Entry Well being CT dealt with about 573,000 inquiries from state residents throughout 2021, together with by way of its name middle, in line with the group’s newest annual report.
The pandemic’s results — together with will increase within the ranks of the unemployed and new monetary reduction from support packages — pushed extra folks to hunt out Reasonably priced Care Act plans and use Entry Well being CT’s providers. By the tip of 2021, enrollments had been up by 7%.