MNsure will check security until last minute
ST. PAUL — Supporters and opponents of Minnesota’s health insurance marketplace disagree whether it will be able to launch as planned next Tuesday, but whoever is right, it will be close. Many of those involved in the federally mandated MNsure health insurance sales program have not been trained, with less than a week to go.
“We learned today from MNsure officials that brokers, counties and navigators have yet to be fully trained in MNsure security policies a week before launch,” Senator Michelle Benson, R-Ham Lake, said after a Tuesday legislative committee meeting. “MNsure was also unable to commit at this point if private information used in initial enrollment will be protected for thousands of Minnesotans.”
MNsure Executive Director April Todd-Malmlov said there is only a slim chance the website that forms the foundation of her project will not be ready.
“We are assessing that on a day-to-day basis to make sure we are ready to go on October 1,” Todd-Malmlov said, and if a security problem is discovered at the last minute the website debut could be delayed. “We will not be going live if there is a smoking gun or a risk to security.”
Benson and Todd-Malmlov made their comments during and after a sometimes-confrontational meeting of a state House-Senate committee established to provide MNsure oversight. Questions and debate dominating the meeting centered on a data breach that occurred September 12 when a MNsure employee mistakenly e-mailed a list of insurance brokers and private information about them to a Burnsville insurance agent.
The person no longer works for MNsure.
Senator Tony Lourey, DFL-Kerrick, said that he is happy MNsure responded to the improper e-mail within half an hour of when it went out. He called it a “robust response” that lasted several days, including sending state computer experts to examine the computer that received the email to make sure it was erased and not forwarded.
Thousands of insurance agents and brokers, county employees and state workers continue to undergo training in the final days before Tuesday’s MNsure start. Part of that training involves how to guard private data.
Todd-Malmlov said the “data incident,” as she called it, was due to a human error. She said there now are protections in place that require all private data to be encrypted and would not allow an unencrypted file to be e-mailed, as happened September 12.
“We know there is anxiety out there,” Todd-Malmlov said.
Todd-Malmlov said that although thousands of people will have computer access to some private MNsure data, it mostly will be very limited. For instance, an “assister” who helps Minnesotans navigate MNsure will have access to some data of those whom he or she helps, but not other people.
Chris Buse, the state’s information security officer, said that the computer system will monitor every action and flag anything unusual. As an example, if someone accesses data at an unusual time, it will be flagged for a manager to investigate.
“We are limiting access to information to absolutely those who need to know,” Todd-Malmlov said.
President Alycia Riedl of the Minnesota Association of Health Underwriters told lawmakers that insurance agents and brokers are concerned.
“This could have been prevented had MNsure listened to agents,” she said.
One agent balked when asked to give MNsure his Social Security number via e-mail, Riedl said. He was told he had to take the information to the MNsure office personally to ensure its security; that is what he did.
Riedl said the process seemed too hurried.
“Honestly, it felt very much like a train going very, very fast and nobody wanted to stop and listen to us,” she said.
Legislative Auditor Jim Nobles said his office is investigating the September 12 data e-mail, but a report will not be available until a week or two after MNsure opens for business.
“I always have concerns about the systems the state creates and whether or not they have been adequately tested,” he said in an interview.