In early June, Access Health CT, the state health exchange created by the Affordable Care Act, almost suffered a bad security breach, when an employee of Maximus, the exchange’s call center vendor, walked out of the office with a backpack containing sensitive customer information. A notepad listed the names of 413 people with 151 corresponding Social Security numbers and birthdates.
The employee claimed the incident was an accident and seemed to have no ill intentions, and probably nothing would have happened if he had stealthily brought it back in the next day to work. Unluckily for the employee, he left the backpack on the street in front of a deli, where a pedestrian found it and, more luckily, called the next day to turn it in. If it had not been returned, a much more serious security breach would have been on the company’s hands.
According to a more recent update from The Courant, Attorney General George Jepsen’s office deployed its Privacy Task Force who, working with other fraud detectives and the Hartford Police Department, investigated the facility to ensure there would not be any deleterious effects. They also performed a full analysis of the security systems in place at Access Health CT, as well as Maximus, to determine why the situation occurred and how similar occurrences can be prevented in the future.
A spokesman of Jepsen’s office, Robert S. Blanchard, said in a statement: “The attorney general takes matters of privacy and data security seriously. Consistent with our practice in past breaches by other custodians of personal information, we reached out on Friday to Access Health CT regarding the incident and its plans to protect those potentially affected. We expect those discussions to continue as we seek to ensure that Connecticut residents’ privacy and personal information is protected.”
The employee was placed on administrative leave during the investigation, but was eventually terminated despite his remorse. Security issues of this type must be taken very seriously by the company, as was demonstrated by the investigative authorities, and a breach of this type is only minor compared to the possibilities.
The affected customers were offered, at no cost, credit monitoring, fraud resolution, identity theft insurance and security freezes of credit reports.
Edited by Adam Brandt