Auditors: Connecticut health insurance exchange failed to report three data breaches [The Register Citizen, Torrington, Conn.]

May 17—The Connecticut Health Insurance Exchange — the state's version of Obamacare — suffered 51 breaches of client information and failed to report three of the cyber-attacks to authorities, according to a recent state audit.

Auditors said the breaches occurred between July 2001 and April 2023. Under state law, state auditors must be informed of all security breaches.

"Breaches of data increase the client's risk of identity theft, medical insurance abuse and financial fraud," auditors noted.

In response, James Michel, chief executive officer for Access Health CT, which runs the exchange, said the agency "recognizes the importance of strong information security controls and has policies and processes in place to prevent disclosure of consumer information."

The audit covered the fiscal years 2020 and 2021.

Security breach

Auditors pointed out state law requires quasi-public agencies such as the health exchange to notify state auditors of any security breach.

"The exchange did not report three of the breaches to the Auditors of Public Accounts and the State Comptroller," the audit noted. "Additionally, the exchange did not take sufficient action to ensure the confidentiality, integrity, and security of client data when one of its contractors incurred 14 of the breaches."

Auditors said overall the exchange experienced 51 breaches of client personal data from July 2021 through April 2023 at five of its contractors, and one of those breaches affected 160 clients.

"The exchange incurred costs of one-year security monitoring for clients who experienced a breach," the auditors said.

The finding has been previously reported in the last audit report covering the fiscal years 2018 through 2019.

Michel, the Access Health CEO, said affected customers were immediately notified of the breach and offered credit monitoring and identity theft protection services.

"AHCT complies with all breach reporting requirements, including notification to the Auditors of Public Accounts and the State Comptroller," Michel said. "To help improve security of customer data, AHCT conducts annual privacy and security training for employees and contractors and requires vendors to train their staff to comply with all AHCT policies."

Purchasing failures

Auditors said the exchange is required to create a purchase order for all purchases, submit receipts for credit card purchases and receive a minimum of three written price quotations from qualified vendors for purchases between $5,000 and $75,000.

Auditors said a review of 25 expenditures, 15 credit card transactions and ten contracts found the exchange:

* Received services prior to the approval of ten purchase orders totaling $1,816,299

* Lacked price quotations for three contracts totaling $151,080.

* Purchased unallowable goods and services for eight credit card transactions totaling $15,606.

* Lacked purchase orders for six credit card transactions totaling $11,240.

* Lacked Form W-9 for six credit card transactions totaling $9,743.

* Lacked expense forms for six credit card transactions totaling $11,361.

* Lacked an invoice for one credit card transaction totaling $2,590.

Auditors faulted the exchange for reducing the "assurance that funding will be available at the time of payment without the proper commitment of funds. Noncompliance with purchasing policies increases the risk of improper purchases."

The finding was previously reported in the last audit report covering the fiscal years 2018 through 2019.

In response, Access Health said its accounting and policy manual does not specifically require purchase order approval prior to ordering goods and services.

"In most instances, AHCT executes a purchase order before the purchase of goods and services. In some instances, time is of the essence and a purchase order is approved slightly after performance has begun," the agency told auditors.

"For all the testing exceptions, purchase orders were approved very shortly after the start of services and well before the completion of services," the agency said. "For one instance noted, the purchase order was created nine days prior to the event so the Exchange did not receive goods or services prior to the approval of the purchase order."

Referring to credit card purchases, Access Health said "the eight credit card exceptions noted were appropriate and allowable pursuant to Exchange policy. In these instances, the vendor requested payment via credit card."

In a rebuttal, auditors noted purchase orders serve to approve and commit funding prior to purchase.

"The Accounting Policy and Procedure manual states that a purchase order must be approved before it can be received against," auditors said. "In the one instance noted in the response, the exchange incurred the expense prior to the approval of a purchase order.

The exchange also did not provide documentation to support vendor requests for payment through credit card, auditors insisted.

"The credit card policy does not differentiate requirements between travel and non-travel expenditures," auditors noted. "The credit card policy notes that expenditures over $600 require a W-9 form and a purchase order for new vendors, and only a purchase order for current vendors."

Auditors added "the credit card policy requires credit card holders to submit an expense report with supporting receipts for each month they use the credit card. If the exchange feels that such differentiation is necessary, it should modify its credit card policy."

Criminal background checks

Auditors said state law requires all Navigator Grant personnel undergo a criminal background check due to access to client personal information. However, the exchange did not maintain a list of Navigator personnel required to complete criminal background checks.

"We were unable to verify whether any personnel who did not undergo a criminal background check participated in the program," auditors said. "The exchange paid $372,459 to five Navigator organizations during the fiscal years ended June 30, 2020 and 2021."

The impact, auditors said, was "reduced assurance that the Navigator organizations protected personally identifiable information."

In response, Access Health said "the Exchange does not request the actual results of the background checks. However, each contract provides that the [Navigator] shall not allow any individual who has been convicted of any felony or misdemeanor involving dishonesty, breach of trust, or money laundering to perform services the Exchange."

The agency added "beginning with FY25, the Exchange will require each Navigator to provide a written certification to the Exchange that its personnel have passed the requisite background check prior to such personnel providing Navigator services."

___

(c)2024 The Register Citizen, Torrington, Conn.

Visit The Register Citizen, Torrington, Conn. at www.registercitizen.com

Distributed by Tribune Content Agency, LLC.