Managers of Connecticut’s relatively smoothly running state-based health insurance exchange are having to answer questions about a security breach. Someone found a backpack containing personal information from hundreds of Access Health CT users at a deli in Hartford, Kevin Counihan, the exchange chief executive officer, said Friday in a statement.
An employee of Maximus, a company helping to run the exchange, told the company that he forgot the backpack in a delicatessen, officials said. Notepads in the backpack contained Social Security numbers for about 150 people and the names and birthdates of about 400 people, company representatives said.
Someone gave the backpack to state Rep. Jay Case, R-Conn., and Case called Access Health CT. The exchange staff has been working with the Hartford Police Department to investigate the security breach and contact the exchange users who were affected, Counihan said.
“Our legal department is also in the process of filing all required state and federal breach reports,” Counihan said in a statement. “Let me be clear: we are sorry this happened. This is a very serious situation and we will hold the person or persons who are responsible to account. We will work tirelessly until we have remedied this problem and can prevent any such reoccurrence.”
In recent weeks, several states with state-based Patient Protection and Affordable Care Act (PPACA) exchange enrollment systems that worked poorly have decided to replace their systems with systems based on the technology used in Connecticut. The Health Insurance Portability and Accountability Act (HIPAA) imposes strict privacy and data security rules on any individual or entity with access to personal health information.
Critics of PPACA and the PPACA exchange program have questioned how well the state-based exchanges and the exchanges run by the U.S. Department of Health and Human Services (HHS) can protect the exchange users’ information.