ST. PAUL — An investigation by the Minnesota Office of the Legislative Auditor has found that a data breach at MNsure earlier this year was unintentional and that there was “no evidence of malicious intent.”
But the report also said MNsure made a series of critical decisions that made personal information connected to 1,500 Minnesota insurance brokers vulnerable to a breach. Fast-moving timelines, not enough workers and inadequate data security are all to blame, the report said.
“Our findings demonstrate that what occurred was more than ‘an HR issue’ involving one employee,” the report states, rebutting one characterization by MNsure’s executive director.
Critics of MNsure have long said data security — whether it’s broker, insurer or customer information — is among their chief concerns about the new website.
The agency immediately alerted brokers that their information had been disclosed. MNsure has offered to pay for one year of identity protection for each broker involved in the data breach.
, according to the report.
MNsure also fired the employee who sent the errant email.
“We are satisfied that MNsure staff and officials acted quickly to mitigate the impact of the unauthorized disclosure of private data,” the report said.
But the report still has plenty of criticism of the agency running the state’s new online insurance marketplace. “MNsure officials made decisions that contributed directly to the disclosure of private data,” the report said.
The auditor’s office said MNsure required brokers and agents to turn over sensitive data the agency did not need, and then failed to ensure the data were secure.
During the course of the summer, MNsure received a great deal of interest from insurance brokers interested in being certified to help their clients with the online marketplace.
But the investigation found that MNsure did not hire enough workers early enough to handle the interest.
“The result appears to be a stressed work environment in which key goals were not achieved in time for MNsure’s opening date on October 1, 2013,” the report said.
The legislative auditor also questioned why MNsure was collecting broker Social Security numbers in the first place — a piece of information that was not necessary to certify insurance agents.
MNsure’s decision to collect Social Security numbers may have stemmed from a misunderstanding with the Minnesota Department of Commerce. MNsure officials were under the impression that that information was required to access a national registry of brokers typically used by the commerce department.
The report said that had MNsure “adequately vetted the decision to collect Social Security number, those negative consequences would have been avoided.”
The auditor also questioned why MNsure was using unsecured email to gather personal information from brokers.
According to the report, MNsure employees must manually encrypt emails sent to people outside state government. But that wasn’t done to gather personal information from brokers, according to the investigation.
MNsure’s broker manager said their aim was get the certification process done early, so they opted for email instead.
Though MNsure employees are required to pass data security courses, the legislative auditor questioned if they were rigorous enough in the first place.
The auditor’s report also makes a point of saying insurance industry officials objected to MNsure’s practices.
MNsure officials said they generally agree with the findings in the report and underscored that the data breach was an isolated incident that has nothing to do with the online insurance marketplace consumers are using to buy coverage.
“We have since conducted work station-by-work station reviews for privacy and security policy compliance, conducted in-person data privacy and security training sessions with staff, and engaged an outside vendor to perform a root cause analysis of the incident and the factors leading up to it,” MNsure Executive Director April Todd-Malmlov said.