MNsure would delay Oct. 1 launch if security risks resurface

MNsure
MNsure Executive Director April Todd-Malmlov answers questions during a news conference about the marketplace's plans and rates Friday, Sept. 6, 2013 at the State Capitol in St. Paul. Behind her, left to right, are MNsure board chairman Brian Beutner, Health Commissioner Dr. Edward Ehlinger and Commerce Commissioner Mike Rothman.
MPR Photo/Jennifer Simonson

Minnesota's online health insurance marketplace would not go live as scheduled next week if any privacy or security risks remain unaddressed, MNsure officials said today.

The agency officials offered that assurance during a legislative oversight committee hearing on MNsure's information security. State lawmakers quickly called the hearing a MNsure employee accidentally released Social Security numbers and other personal data of at least 1500 insurance brokers.

As a result of the data breach, MNsure's executives were on the hot seat today, trying to calm worries about the agency's ability to safeguard personal information.

MNsure executive director April Todd-Malmlov told the committee that brokers whose private data had been compromised will receive free credit monitoring. She said the federal government approved the use of federal grant funds to pay for the protection.

Todd-Malmlov also repeated a refrain MNsure officials have used consistently since the data release -- that the security of the I.T. system where consumers will enter their personal information to shop for insurance was not compromised.

"We have the best-in-class I.T. security within the state involved in this system," she said. "So consumers should feel very confident in coming to this system in October to get the coverage that they need."

More than 1 million Minnesotans are expected to use MNsure to obtain health coverage starting next year when federal law requires most Americans to carry health insurance.

Legislative Auditor Jim Nobles told the committee that his office learned of the data release from news accounts, not MNsure. He said MNsure was required by law to notify his office of the problem.

But Nobles cautioned the committee against drawing conclusions until his office has finished investigating the breach a few weeks from now.

"Yes there was human error," he said. "But the reason for our independent review [is to] determine were there decisions made by MNsure that made it more possible for human error to occur."

Noble's office will conduct a series of additional MNsure related audits in the coming months. Citing MNsure's high profile, the millions of dollars at stake, and its interaction with the public, he said his office would look into how MNsure spends federal funds and into its contracting arrangements starting later this year.

In the spring, Nobles said, his office will MNsure's grant-making process and how it determines who is eligible for government health plans and premium subsidies. During the hearing, state Rep. Joe Atkins, a key architect of the MNsure legislation, asked whether MNsure would be able to protect consumer data when it goes live next week: "Is it ready?" asked Atkins, DFL-Inver Grove Heights.

Todd Malmlov replied that MNsure is still planning to click "go" next Tuesday.

"But we view security very, very strongly as well as the functionality that will be able to provide," she said. "So we are assessing that on a day-to-day basis."

Chris Buse, the state's chief information security officer, said before the system is running, his office would let MNsure know about any security "show-stoppers."

When Atkins asked if state information security reviews had revealed any problems that would prevent MNsure from going live on Oct. 1 or put consumer data in jeopardy, Buse said that was a difficult question to answer.

"We still have some final security work to do," Buse said. "We don't see a list of show-stopper issues from a security perspective; there's things that we're working on. But until all the final review is done, I'm reluctant to say that we're good to go at this point."