Getty Images/iStockphoto

CT Health Insurance Exchange Failed to Report 44 Breaches, Audit Finds

The Connecticut Health Insurance Exchange failed to report 44 data breaches to state agencies, an audit found.

A state audit discovered that the Connecticut Health Insurance Exchange, known as Access Health CT,  failed to report 44 data breaches to the auditors of public accounts and the state comptroller between July 2017 and March 2021.

Access Health CT is Connecticut’s official health insurance marketplace aimed at reducing the number of uninsured individuals in Connecticut. The exchange also allows low-income individuals to apply for Medicaid.

Although Access Health CT reported the 44 breaches to HHS as required by the HIPAA Breach Notification Rule, it failed to comply with state-level breach notification requirements. In addition, 34 of the breaches involved a single contractor.

According to CT Insider, the contractor was Faneuil Inc., which continues to run Access Health CT’s call center. The audit report claimed that the health insurance exchange “did not take sufficient actions to ensure the confidentiality, integrity, and security of client data” after numerous breaches by one contractor.

Most of the breaches were relatively small, but one included a phishing scam that impacted 1,100 clients. Five other entities claimed responsibility for the remaining 10 breaches.

“Our audit identified internal control deficiencies, instances of noncompliance with laws, regulations, and policies, and a need for improvement in practices and procedures that warrant the attention of management,” the audit stated.

The report also noted that Access Health CT’s vendor procurement policy was “extremely broad and lacks specific criteria to determine appropriate reasons for awarding sole source contracts.”

The auditors argued that the exchange failed to implement sufficient internal controls to safeguard their clients’ personally identifiable information (PII). As a result, the exchange agreed to improve its security and procurement practices.

“The Exchange is currently working with two third-party vendors to assist with the implementation of a Risk Management Framework to provide comprehensive visibility and oversight into compliance with information security controls,” the audit report stated.

“The Exchange complies with statutory reporting requirements, and will comply with additional reporting requirements.”

As a result of its findings, the auditors provided recommendations for the health insurance exchange to follow in order to remedy its noncompliance. The auditors recommended that Access Health CT revise its contract procurement policy and strengthen internal purchasing policies and procedures.

In addition, the exchange must submit annual and quarterly reports to the governor and auditors of public accounts for fiscal years 2018, 2019, and 2020.

Next Steps

Dig Deeper on Cybersecurity strategies