HARTFORD, Conn. — The Connecticut Health Insurance Exchange failed to report to state regulators at least 44 incidents in which clients’ personally identifiable information was breached including one incident that impacted more than 1,000 people, the state’s auditors revealed in a new report.
The Auditors of Public Accounts regularly audits state agencies. The report, issued Tuesday, found 44 breaches of client data from July 2017 through March 2021. One of those incidents involved one phishing scam which affected 1,100 clients.
The report said one of the Exchange’s contractors accounted for 34 of the breaches. Five other entities were responsible for the remaining ten breaches.
State law requires that all quasi-public agencies promptly notify the Auditors of Public Accounts and the State Comptroller of any breach of security. The Exchange, which operates Access Health CT, did not do that in these cases, auditors said.
In addition to increasing the chance of identity theft for the individuals who had their data compromised, the auditors said the state was forced to pay for two-year security monitoring for clients who experienced a breach.
In the report, the Exchange said they monitor "vendor compliance with security requirements and is implementing additional protocols to monitor compliance and improve vendor security practices. The Exchange requires any vendor causing a breach to cover the cost of two years of security monitoring for clients who experienced a breach."
In a statement to FOX61, Access Health CT said it is committed to "protecting the security of the consumer information used in its operations."
"In a recent audit, it was identified that 44 breaches that were reported to HHS and the Connecticut AG were not filed with the Auditors and Comptroller," the statement said. "Access Health CT (AHCT) immediately filed copies of the reports previously filed with the AG and HHS with the Auditors and Comptroller to correct the error."
The statement continued: "Additionally, AHCT has continually worked with its vendors, including its call center vendor, as well as scanning and document processing vendors and mailing vendors to create policies and procedures to maintain the security of PII and Protected Health Information (PHI). AHCT also has policies and procedures in place for its own employees, conducts annual privacy and security training for employees and contractors and requires vendors to train their staff and comply with all AHCT requirements."
Other items in the report took the agency to task for how it awarded some contracts to a sole source. Auditors also said the Exchange did not comply with other state purchasing policies that require purchase orders to be approved before services are received.
“The Exchange has refined its purchasing processes to ensure compliance with purchasing policies and procedures, and has implemented the use of a new requisition system to prevent irregularities or noncompliance," said the agency's response in the report.
Auditors also said the Exchange also failed to submit annual and quarterly reports to the governor's office. The agency blamed staffing issues and said the reports have been properly submitted since December 2020.
Doug Stewart is a digital content producer at FOX61 News. He can be reached at dstewart@fox61.com.
---
Have a story idea or something on your mind you want to share? We want to hear from you! Email us at newsteam@fox61.com
HERE ARE MORE WAYS TO GET FOX61 NEWS
Download the FOX61 News APP
iTunes: Click here to download
Google Play: Click here to download
Stream Live on ROKU: Add the channel from the ROKU store or by searching FOX61.