[BreachExchange] Vermont Health Connect had 10 data breaches last winter
Destry Winant
destry at riskbasedsecurity.com
Fri Apr 23 10:23:22 EDT 2021
https://vtdigger.org/2021/04/18/vermont-health-connect-had-10-data-breaches-last-winter/
In mid-December, a Vermont Health Connect user was logging in when the
names of two strangers popped up in the newly created account.
The individual, who was trying to sign up for health insurance,
deleted the information that had suddenly appeared.
“It was super unsettling to think that someone is filing in my account
with my information,” the person, whose name is redacted in records,
wrote in a complaint to the Department of Vermont Health Access. “Just
seems like the whole thing needs a big overhaul.”
It was one of 10 instances between November and February during which
Vermont Health Connect users reported logging in to find someone
else’s information on their account.
The data breaches included names of other applicants and, in some
cases, their children’s names, birth dates, citizenship information,
annual income, health care plans, and once, the last four digits of a
Social Security number, according to nearly 900 pages of public
records obtained by VTDigger. On Dec. 22, the department’s staff shut
down the site to try to diagnose the problem.
While officials say the glitches have been resolved, it’s the most
recent mishap for a system that has historically been plagued by
security and technical issues. The breaches could be even more
widespread: Administrators of Vermont Health Connect can’t tell if
other, similar breaches went unreported.
“We don’t know what we don’t know,” said Jon Rajewski, a managing
director at the cybersecurity response company Stroz Friedberg.
Regardless of whether there are legal ramifications for the incidents,
they should be taken “very seriously,” he said.
“If my data was being stored on a website that was personal — maybe it
contains names or my Social Security number, like my status of
insurance… — I would expect that website to secure it and keep it
safe,” he said. “I wouldn’t want someone else to access my personal
information.”
Andrea De La Bruere, executive director of the Agency of Human
Services, called the data breaches “unfortunate.” But she downplayed
the severity of the issues. Between November and December, 75,000
people visited the Vermont Health Connect website for a total of
330,000 page views, she said. The 10 incidents? “It’s a very uncommon
thing to have happen,” she said.
De La Bruere said the issue was fixed on Feb. 17, and users had
reported no similar problems since. The information that was shared
was not protected health information, she added, and the breaches
didn’t violate the Health Insurance Portability and Accountability
Act, or HIPAA.
“No matter what the law says technically, whether it’s HIPAA-related
or just one’s personal information, it’s really concerning,” said
Health Care Advocate Mike Fisher.
The timing of the issue is less than ideal, he added. Thousands of
Vermonters are expected to log into Vermont Health Connect in the
coming weeks to take advantage of discounts granted by the American
Rescue Plan. “It’s super important that people can access the system,
and that it’s safe and secure,” Fisher said.
A ‘major issue‘
The issues first arose on Nov. 12, when at least two Vermonters logged
in and found information about another user, according to records
obtained by VTDigger.
Department of Vermont Health Access workers flagged it as a “major
issue” for their boss, Kristine Fortier, a business application
support specialist for the department.
Similar incidents also occurred on Nov. 17 and 18, and later on
multiple days in December.
Department of Vermont Health Access staff members appeared alarmed at
the issues, and IT staff escalated the tickets to “URGENT.”
“YIKES,” wrote a staff member, Brittney Richardson. While the people
affected were notified, the data breaches were never made public.
State workers pressed OptumInsights, a national health care tech
company that hosts and manages Vermont Health Connect, for answers.
The state has contracted with the company since 2014. It has paid
about $11 million a year over the past four years for maintenance and
operations, with more added in “discretionary funds.”
Optum appeared unable to figure out the glitch. “It is hard to find
root cause of issue,” wrote Yogi Singh, service delivery manager for
Optum on Dec. 10. Optum representatives referred comments on the
issues to the state.
By Dec. 14, Grant Steffens, IT manager for the department, raised the
alarm. “I’m concerned on the growing number of these reports,” he
wrote in an email to Optum.
The company halted the creation of new accounts on Dec. 14, and shut
down the site entirely on Dec. 22 to install a temporary fix. “It’s a
very complex interplay of many many pieces of software on the back
end,” said Darin Prail, agency director of digital services. The
complexity made it challenging to identify the problem, and to fix it
without introducing any new issues, he said.
In spite of the fixes, a caller reported a similar incident on Jan. 13.
On Feb. 8, a mother logged in to find that she could see her
daughter’s information. When she logged into her daughter’s account,
the insurance information had been replaced by her own.
“Very weird,” the mother wrote in an emailed complaint.
Optum completed a permanent fix on Feb. 17, according to Prail.
Vermont Health Connect has not had a problem since, he said.
Prail said the state had reported the issues to the Centers for
Medicaid and Medicare Services as required, and had undergone a
regular audit in February that had no findings. The state
“persistently pressured Optum to determine the root cause and correct
the issue expeditiously but at the same time, cautiously, so as to not
introduce additional issues/problems,” he wrote in an email to
VTDigger.
“We take reported issues like this very seriously,” he said.
A history of glitches
The state’s health exchange has been replete with problems, including
significant security issues and privacy violations, since it was built
in 2012 at a cost of $200 million.
The state fired its first contractor, CGI Technology Systems, in 2014.
A subcontractor, Exeter, went out of business in 2015. Optum took over
for CGI, and continued to provide maintenance and tech support for the
system.
Don Turner, right, then the House minority leader, speaks in 2016
about the need to fix the state’s glitch-ridden Vermont Health Connect
website. With him are Phil Scott, left, then the lieutenant governor,
and Sen. Joe Benning. Photo by Erin Mansfield/VTDigger
In 2018, when Vermont Health Connect was less than six years old, a
report dubbed the exchange outdated and “obsolete.”
Officials reported similar privacy breaches in 2013, when Vermonters
saw other people’s information.
An auditor’s report in 2016 found a slew of cybersecurity flaws, and
officials raised concerns again during a 2018 email breach.
It wasn’t the first time that Vermont Health Connect users had been
able to view other people’s personal information. Three times since
October 2019, individuals had logged in to see another individual’s
insurance documents. Prail attributed those incidents to human error,
not to system glitch; a staff member uploaded documents to the wrong
site, he said.
In spite of the issues, Prail said he and other state officials have
been happy with Optum. After years of technical challenges with
Vermont Health Connect, “Optum has really picked up the ball and
improved it and been running it pretty well,” he said.
Glitches are inevitable, he added, and Optum has addressed them
quickly. “They took a really difficult-to-manage site and made it work
pretty well,” he said. “Optum is generally quite responsive to any
issues we have.”
“I find any privacy breach to be concerning,” said Scott Carbee, chief
information security officer for the state. He noted that the state
uses “hundreds of software systems.”
“While the scope of the breaches can be mitigated, true prevention is
a difficult task,” he wrote in an email to VTDigger.
Though Optum spokesperson Gwen Moore Holliday referred comments to the
state, she said the company was “honored” to work with Vermont Health
Connect “to support the health care needs of Vermont residents.”
Prail said the Agency of Human Services had no plans to halt its
contract with the company. “I don’t have a complaint about Optum,” he
said. “They took a really difficult-to-manage site and made it work
pretty well.”
More information about the BreachExchange
mailing list