ST. PAUL — An investigation by the Minnesota Office of the Legislative Auditor has found that a data breach at MNsure earlier this year was unintentional and that there was “no evidence of malicious intent.”
But the report also said MNsure made a series of critical decisions that made personal information connected to 1,500 Minnesota insurance brokers vulnerable to a breach. Fast-moving timelines, not enough workers and inadequate data security are all to blame, the report said.
“Our findings demonstrate that what occurred was more than ‘an HR issue’ involving one employee,” the report states, rebutting one characterization by MNsure’s executive director.
Critics of MNsure have long said data security — whether it’s broker, insurer or customer information — is among their chief concerns about the new website.
The agency immediately alerted brokers that their information had been disclosed. MNsure has offered to pay for one year of identity protection for each broker involved in the data breach.
, according to the report.
MNsure also fired the employee who sent the errant email.
“We are satisfied that MNsure staff and officials acted quickly to mitigate the impact of the unauthorized disclosure of private data,” the report said.
But the report still has plenty of criticism of the agency running the state’s new online insurance marketplace. “MNsure officials made decisions that contributed directly to the disclosure of private data,” the report said.
The auditor’s office said MNsure required brokers and agents to turn over sensitive data the agency did not need, and then failed to ensure the data were secure.
During the course of the summer, MNsure received a great deal of interest from insurance brokers interested in being certified to help their clients with the online marketplace.
But the investigation found that MNsure did not hire enough workers early enough to handle the interest.