A data breach involving Connecticut’s health insurance exchange has been traced to an employee of the company that runs the agency’s call center, according to the exchange.
A backpack discovered on a Hartford street Friday afternoon was found to contain four notepads with handwritten names, Social Security Numbers and birth dates for about 400 people, as well as paperwork from Access Health CT, the state’s exchange, according to exchange officials.
The backpack belongs to an employee of Maximus, which runs the exchange’s call center, Access Health Chief Marketing Officer Jason Madrak said in a statement Sunday. The employee came forward after learning about the backpack’s discovery on television news, Madrak said.
“While we are still working to understand exactly why this person took the information out of the building, based on what we have learned so far it does not appear there was malfeasance on the part of this person,” Madrak said.
Call center workers sometimes make the sort of notes found in the backpack while helping clients, but they are not allowed to take the notes from the call center office, Madrak said.
The employee who owns the backpack is on administrative leave and officials from Access Health and Maximus are meeting Monday morning to continue the investigation and determine “any actions necessary to ensure this does not occur again,” Madrak said.
The exchange is calling people whose names were on the notepads found in the backpack. They will be offered free credit monitoring, fraud resolution, identity theft insurance and security freezes of credit reports.
Madrak said the data included fewer than 200 Social Security Numbers.
“We are sorry this happened, and we are working to rectify as quickly as possible, as well doing whatever is necessary to try to prevent it from happening again,” Madrak said.
It was not clear how the backpack ended up on the street in Hartford. It was found on Trumbull Street, the same street as the building that houses Access Health’s headquarters and call center.
Earlier this year, House Republicans raised concerns about the security of Access Health customers’ data, proposing a bill that would require enhanced background checks for people who apply to work at the exchange or who will have access to personal information of people seeking coverage through the exchange. The bill died in committee.
“There is a concern about the private information of folks that are going through the exchange,” Rep. Rob Sampson, R-Wolcott, said during a March public hearing.
But exchange CEO Kevin Counihan testified that the bill’s requirements were unnecessary and would be costly to implement.
Counihan told legislators that the exchange already performs “comprehensive criminal background checks” on all employees, navigators and assisters who help sign people up, and vendor staff.
One of Counihan’s criticisms of the proposal was that it would require the exchange to pay for background checks of vendor employees, something the vendors currently pay for. At one point in his testimony, Counihan used Maximus as an example, noting that the company had roughly 309 people in the call center.
“Maximus, like our other vendors, conforms to our existing security requirements,” Counihan said, adding that Maximus, not the exchange, pays the costs.
“We treat issues with privacy and security with the utmost seriousness and have from the beginning,” he testified.
Maximus’ contract with Access Health includes provisions related to security breaches and loss of data, requiring the call center contractor to notify the exchange and state attorney general within 24 hours after discovering or becoming suspicious about a breach or loss. The contract also requires Maximus to provide and pay for credit monitoring by all people affected by a breach.