State auditors have recommended the Connecticut Health Insurance Exchange develop a system to ensure customers’ personally identifiable information is secure. The recommendation followed a June 2014 data security breach and subsequent review of Access Health CT by an outside security consultant.
The auditors’ recommendation was among three contained in a state Auditors of Public Accounts report released Tuesday on Access Health CT. Auditors also recommended the exchange release meeting minutes and related materials within state-required deadlines after auditors found three instances in which minutes weren’t posted to the agency’s website within seven days.
Auditors also found the exchange didn’t acquire the surety bonds or blanket position bond for board members, as required by statute, noting instead that the agency obtained a “faithful performance” rider to its crime insurance. Auditors noted the attorney general is reviewing the legal sufficiency of the amended insurance policy and recommended the agency respond appropriately to the AG’s findings.
On security of personal information, Access Health CT said it took many steps to protect customer information after the security review and provided a corrective action plan to auditors. Auditors said corrective actions that were considered cost-prohibitive lacked supporting documentation such as a cost-benefit analysis. The plan also lacked a formal review and approval by management of the corrective actions taken or not taken in response to the security consultant’s recommendations, auditors said.
On releasing meeting information, Access Health CT agreed with auditors’ findings and said it would work to post information, including drafts of minutes, to its website as soon as possible.
On the surety bond issue, Access Health CT said it would respond appropriately when it gets the AG’s opinion on the faithful performance rider.
