Mere days after the Centers for Medicare and Medicaid Services (CMS) declared that the Affordable Care Act’s (ACA) data hub was properly safeguarded and privacy would not be an issue, MNsure, Minnesota’s new online health insurance exchange (HIX) that will connect to the federal hub, reported a privacy breach.
A MNsure employee accidently emailed more than 2,400 insurance agents’ unencrypted personal data such as Social Security numbers, names, business addresses to an Apple Valley insurance broker’s office. Upon learning of the breach, the Star Tribune reported that a MNsure security officer called the recipient and helped them delete the file data from their hard drive.
While the MNsure breach isn’t related to the federal hub’s technical security protections and may be a one-time incident, the incident certainly won’t build further confidence in the capabilities of online-based health insurance exchanges to protect patient data. Moreover, it was just this week that CMS definitely stated that the federal hub used to determine eligibility for federal subsidies is secure. Some republicans disagreed with that notion, arguing that the requisite testing time hadn’t been met to ensure proper security.
On a state level, such as in Minnesota, there are online-based health insurance exchanges detractors who are concerned with privacy as well. Private data such as Social Security numbers will be flowing from the state hubs to the federal Hub to determine which patients are eligible for government subsidies, so the Minnesota breach is clearly an issue that feeds the fire for ACA opponents’ arguments.
Steve Parente, a University of Minnesota finance professor who specializes in health IT issues and testified on Capitol Hill earlier this week, believes that the HIXes are being moved along too quickly. Digital data “is a convenient and simple convention to move things along,” Parente said, according to the Tribune. “But the downside is that it can have unintended consequences. It takes time to parse and curate and edit. You can’t do that if you’re in a rush.”
MNsure said it will alert all brokers of the breach and explain that it was collecting Social Security numbers so that the Department of Commerce could tack on the navigator’s training for the required broker education credits