Health insurance exchange didn’t report 44 data breaches, but were hit with no security mandates

The health insurance exchange for Connecticut, Access Health, faced a whopping 44 data breaches over the course of three and a half years. But while the audit report detailing these compromises names a host of security and compliance shortcomings, the state auditor merely made recommendations to the HIE to remediate the issues without requiring changes.

The failure to enact sharper enforcement begs the question: where’s the accountability? As Lee Barrett, executive director of the Electronic Health Network Accreditation Commission (EHNAC) puts it, “The bigger issue here is that there’s no accountability.”

“Without any level of accountability, then everyone’s free to do whatever they want, and that’s what they’re doing,” said Barrett.

The state auditor was required by the Connecticut General Statutes to audit the HIE for fiscal years ended June 30, 2018 and 2019. The findings are thorough and clear, identifying shortcomings with internal controls and noncompliance with laws, regulations, and policies. 

The “significant findings” detailed in the report show a need to improve privacy and security practices and procedures “that warrant the attention of management.”

Specifically, Access Health failed to report 44 breaches of patients’ personally identifiable information to the state comptroller and Auditors of Public Accounts. A single contractor caused all but 10 of those breaches, but the HIE did not “take sufficient actions to ensure the confidentiality, integrity, and security of client data,” after making that determination.

The audit also found the HIE’s procurement policy is “extremely broad,” lacking specific criteria to make determinations for awarding sole source contracts. And on multiple occasions, Access Health failed to comply with purchasing policies, such as “receiving services prior to the approval of four purchase orders for $946,346.” 

The HIE also failed to promptly submit annual and quarterly reports to the governor, Auditors of Public Accounts, and legislative Office of Fiscal Analysis as required by state law.

The state auditor conducted a thorough examination of Access Health, including written policies and procedures, financial records, minutes of meetings, interviews with various personnel, and testing selected transactions, all in accordance with government auditing standards.

In response to these findings, the state auditor made four thorough recommendations of how to improve the program and reduce non-compliance. Notably, two of those recommendations were made during the prior audit of the program, meaning those problems are longstanding and unresolved.

Further, the audit does not require those changes or provide a timeline for when these elements should be implemented, despite the previous recommendations being unfulfilled. The recommendations also don’t include enforcement actions or monetary penalties, much like audits provided by the Office of the Inspector General and Government Accountability Office.

Where’s the regulatory teeth?

Given the major compliance issues – and the one problematic vendor behind the majority of breaches -- the lack of disciplinary action is shocking, said Barrett. 

It’s a staunch comparison when considering the number of state government audits of several healthcare entities following reported data breaches, which resulted in, at a minimum, requirements for security programs to be implemented within specific timeframes.

And in multiple settlements between the New Jersey Attorney General and healthcare entities found in violation of state laws, the penalties include stiff monetary fines. For example, the $495,000 settlement between the state and the Diamond Institute for Infertility and Menopause over failures in its cybersecurity practices found after a healthcare data breach reported in 2017.

For Barrett, upon examining the Access Health audit report, it’s hard to believe that the state “would allow all of these breaches to have occurred and not have had some type of oversight to assure that any of these breaches are in fact, reviewed, determined where the the remediation, or the gaps are that need to take place.”

Particularly as one of these breaches affected 1,110 clients, Barrett noted. Under The Health Insurance Portability and Accountability Act, healthcare data breaches impacting more than 500 patients are supposed to be reported to the Office for Civil Rights.

“If that’s the case, where's the compliance side, as far as oversight for any of these breaches? There should be some entity or the government, at least in Connecticut, that should provide that level of oversight, whether it's the attorney general's office, or in many cases, at the federal level,” said Barrett.

“I was just shocked when I read this,” he added.

The other concerning element for Barrett is the lack of third-party certification to demonstrate to stakeholders that the HIE is leveraging the appropriate policies, procedures, and rigorous controls.

Without “having any of that, it's kind of the wild, wild west: Allowing entities and these breaches to go, in essence, unreported, which is unbelievable to me, A, and B, not requiring any type of third-party review to minimize risk, because there are no controls here,” he added.

The response to these breaches should have absolutely had a requirement or statute in place where the organizations must go through a third-party review to demonstrate they have the necessary policies, procedures, and controls in place. Barrett stressed this type of measure will, at the very least, minimize the risk.

In short, there must be an oversight entity, whether the state attorney general’s office or another that could be authorized to provide the appropriate oversight if and when a breach occurs, he explained.

The authority could also ensure the incidents are reported to the appropriate regulatory bodies, as well as, act as support from an accountability or reportability perspective, if a remediation action is needed, which Barrett stressed is the only way to ensure the entity is held accountable and that the needed “remediation takes place so it doesn’t happen again.”

“There has to be some type of penalty, either monetary or basically saying ‘you can't continue to do business, unless you give us a remediation plan within X period of time... And you need to be reporting to us on some type of ongoing basis on how you are addressing this particular issue that was identified,” said Barrett.

“There has to be that level of accountability, otherwise, it's ‘whatever, however you want to do business, it's okay,’” he continued. “I believe organizations at the state level should be requiring any entity… handling PII or PHI to go through third-party certification or accreditation, it raises the bar.”

Although this particular instance does not appear to demonstrate those types of requirements or enforcement actions, OCR’s latest round of enforcement, in tandem with states strengthening their privacy laws, it’s clearly important to consider these challenges and mitigation needs.