The Internal Revenue Service and Hartford police are conducting a criminal investigation of the data breach involving information on clients of Connecticut’s health insurance exchange. But an exchange official said Thursday that the cause was most likely a mistake by a call center worker.
The breach occurred two weeks ago after a worker at the exchange’s call center put notepads containing callers’ names, birth dates and Social Security numbers into a backpack and left the call center. The backpack was later discovered outside a Hartford deli, where the worker had been waiting for a ride. He told officials with Maximus, the company that runs the call center, that he’d accidentally left without the bag.
It was a policy violation for the worker to take personally identifiable information out of the office, said Virginia Lamb, general counsel of Access Health CT, the state’s exchange.
“He did have his reasons,” she told members of the exchange’s board during a meeting Thursday. “He didn’t have at the time a place to lock up his data. He put it in his backpack.”
“It was a very bad decision,” Lamb added. “But so far at least, we have not seen evidence of criminality.”
The worker was relatively new at the call center and had finished his training at the end of April, Lamb said. At the time of the breach, he hadn’t yet been assigned a desk.
The worker is currently on administrative leave. Lamb said it’s the policy of both Access Health and Maximus to terminate a worker who violates policies that lead to a data breach, but she said the company wanted to finish the investigation first and cooperate with the police department.
Since the breach occurred, Maximus has stopped using paper in its call center and has put wipe boards in each terminal. Workers sometimes write down callers’ information because they use two separate computer systems, and writing things down allows them to avoid asking callers for information twice, exchange officials have said.
The exchange sent letters last Thursday and Friday to 395 people affected by the breach, offering them credit monitoring, credit resolution services and identity theft insurance. People were also offered a phone number to call, and 44 have called so far, exchange Chief Operating Officer Peter Van Loon said.
Some of the letters were returned as undeliverable, Van Loon said. The exchange is trying to find accurate addresses for those people.
Exchange board members raised questions about how the breach could have occurred and about what happened after it was discovered. The person who found the backpack notified the office of his state representative, Jay Case of Winsted, and brought it to the Legislative Office Building. A GOP staffer then notified the exchange.
“I’ve never heard of a situation where you find something and your impulse is, ‘I’ll bring it to my state representative,’” board member Dr. Robert Scalettar said.
Board member Bob Tessier focused on Maximus.
“Have they given us any explanation of how someone could engage in this kind of blatant violation, not only of the rules and the terms of this person’s employment, but frankly any kind of common sense?” he asked, adding that it appeared no one was supervising.
“I can’t say we have a good explanation,” Lamb said.