Vermont discloses data breach on healthcare exchange website
Vermont Health Connect issues report after victim whose records were exposed reports problem
By Steve Ragan , Staff Writer
November 25, 2013 — CSO — Despite warnings and concerns over the fact that websites used to manage the nation's healthcare exchange programs are at risk, and none more so than HealthCare.gov, one them is already dealing with the fallout from a data breach. According to reports, Vermont has disclosed a data breach linked to their healthcare domain, after the victim whose records were exposed reported the problem.
Vermont Health Connect, the healthcare exchange that opened on October 1 under the Affordable Care Act, managed by the state itself, issued a report to federal officials that described the breach, which occurred on October 17. According to the report, obtained by the Associated Press, the state was notified about the breach after one of the victims sent them a letter.
The person who reported the problem wasn't named in the report. However, Greg Needle, the privacy administrator with Vermont Health Connect, confirmed that this person's Social Security Number, as well as information submitted to the exchange during the application process, was obtained by an unauthorized party. In a letter sent to the Centers for Medicare and Medicaid Services (CMS) by Needle, the person learned about the breach due to an anonymous letter.
The letter itself was a copy of the unnamed person's application, along with a message written on the last page of the application and the back of the envelope that said, "VERMONT HEALTH CONNECT IS NOT A SECURE WEBSITE!"
While the report to CMS outlines a single example, which is only known because the person impacted reported it on their own, there is no way to tell if others received the same anonymous warning. On the Vermont Health Connect website, there is no mention of the incident.
In a statement, Mark Larson, the commissioner of the Department of Vermont Health Access, said the incident was "one case and it was responded to appropriately," adding that the "unique circumstances" that led to the breach cannot be repeated due to his department's efforts.
Only 16 other states outside of Vermont manage their own portals for the Affordable Care Act, all others use HealthCare.gov. When asked his thoughts about this latest incident, Dave Kennedy, the CEO of TrustedSec LLC, and one of the people who recently testified during a hearing by the House of Representatives Science, Space and Technology Committee about the high-levels of risk on HealthCare.gov, thinks this is just the beginning.