State auditors have raised concerns about the ability of Connecticut’s health insurance exchange to ensure that information about its customers is secure.

In a report released Tuesday, the auditors cited concerns raised by a security expert who reviewed the exchange following a 2014 security breach and suggested that the quasi-public agency should develop a system for responding to reported security deficiencies.

“In the absence of a management control system that holds the organization accountable for responding in a timely manner to reported deficiencies in the security of the Exchange, the Exchange cannot provide assurance that the [personally identifiable information] in its possession is secure,” the auditors wrote.

The exchange, Access Health CT, said in a written response included in the report that it had taken steps to improve security to better protect consumers’ information.

The security issues raised in the auditors’ report stem from a data security breach that occurred in June 2014, when an employee of the exchange’s call center left on a Hartford street a backpack containing four notepads with handwritten names, Social Security Numbers and birth dates for about 400 people in it.

After that, the exchange hired a security firm to perform a security assessment of Access Health’s Hartford headquarters, two storefronts it operates, and some contractor sites. The firm found several deficiencies in the exchange’s security, according to the auditors, including:

• People interviewed by the security expert appeared to be uncertain about who had responsibility for security policies, procedures and plans. The auditors reported that the security expert said that “most interviewees stated that they have not read the few available security policies and procedures, rely on word of mouth or email reminders from staff for dissemination of information and received verbal training session.”
• When most people interviewed were asked about “critical assets, high-risk or sensitive areas, and physical security,” they referred to another person or department as being responsible, the auditors wrote. This led the security expert to conclude that there was a lack of security training, awareness and responsibility.
• While the security expert requested approximately 25 documents to review, the exchange was only able to provide approximately five of them and “several emails,” the auditors wrote. The security firm reported that the exchange’s Information Security Policies and Procedures document and other documents “require a considerable amount of rewriting.”

State auditors asked in May for a copy of corrective actions the exchange planned to take or had already taken in response to the security expert’s findings. But the exchange was unable to provide evidence that it had taken action or planned to do so, they wrote.

Exchange officials later provided a corrective action plan along with their response to the auditors’ report, but the auditors wrote that while some items were deemed cost-prohibitive, there was no documentation showing a cost-benefit analysis. The plan also did not include a formal review and approval by management of corrective actions taken or not taken in response to the security firm’s assessment, the auditors wrote.

In a written response included in the audit, Access Health said it hired a firm in January to conduct a security assessment and had made improvements, including:

• The call center vendor, Maximus, made “significant changes” to its physical security, and worked with the exchange’s privacy officer to improve and monitor security practices.
• Access Health leased a separate, secure space to house its issue resolution department, which handles customers’ personally identifiable information.
• The exchange’s security policies are included in the employee handbook, which workers must read and sign on their first day. Employees must also complete an annual information technology security training course.
• Access Health’s privacy officer has trained employees and contractors on security and policies, particularly on the handling of personally identifiable information.
• The privacy officer and issue resolution department supervisors “vigilantly” monitor the protection of personally identifiable information and check daily for unsecured identifiable customer information in the exchange’s offices. If any is found, it is either secured or destroyed, according to the exchange’s response.
• Access Health is hiring a security vendor to conduct a full security audit of the exchange’s office and the state’s data center in Groton.

The auditors also reported that the exchange did not always post minutes from its board meetings on its website within seven days, as state law requires. In one case, the auditors wrote, the exchange planned to wait nearly six months until posting minutes for the meeting of the board’s finance committee, until after the minutes were approved and finalized at the committee’s next meeting.

Delays in releasing meeting minutes “reduces the public’s ability to perform its watchdog role in a timely manner over board members’ governance responsibilities, management oversight, and decisions regarding matters of public interest,” the auditors wrote.

In a written response, Access Health said it would “make its best effort” to post minutes and meeting materials as soon as possible, and would post minutes in draft form until they are approved at the next meeting.

In a statement Tuesday, Access Health CEO Jim Wadleigh said the organization took the recommendations “quite seriously, and are committed to working as hard as we can to successfully address each issue as outlined in this report.”

“We’re proud of the work we’ve done, but as is the case with any organization, we can always do better,” Wadleigh said.