Officials admitted late last week that Vermont Health Connect, the health exchange website that handles the State’s Obamacare enrollment, was breached by a user who was able to obtain private information about another applicant — including that person’s Social Security number.
According to The Associated Press, which reported on the security breach after learning the Health Connect website’s privacy advocate had warned Federal Medicaid officials about the incident, the person who was able to breach the site’s security evidently wished only to demonstrate that the site wasn’t robust enough to trust with one’s personal information.
The person whose information was improperly breached received a letter in the mail days after visiting the Health Connect website. Inside was a copy of the application for insurance coverage he’d submitted while on the website, along with a handwritten message on the outside of the envelope: “VERMONT HEALTH CONNECT IS NOT A SECURE WEBSITE!” The same handwritten message also appeared on the back of one of the enclosed pages.
The incident was originally reported to the Federal Centers for Medicare and Medicaid Services on Oct. 17, but was confirmed after The AP requested — and obtained — a copy under Vermont public records law.
The commissioner of the Department of Vermont Health Access told the news agency the incident was the product of “unique circumstances” and represented the only security breach the site had experienced.
The commissioner, David Larson, had testified on Nov. 5 on the site’s general performance before the Vermont House Health Care Committee, assuring lawmakers at that time that no one’s private information had been breached since the site went live.
After news of the incident began reverberating throughout the Internet over the weekend, Larson wrote a letter apologizing for the lie to Committee Chairman Mike Fisher.
The State official overseeing the Vermont Health Connect health insurance exchange has apologized for not being fully candid when a legislator asked him during a committee hearing if there had been security breaches on the website.
“[I] should have instead also included in my response the facts of this single incident, and am sorry that my statements to the committee did not do so,” Larson wrote.
“I was asked about whether any security failures had occurred in Vermont Health Connect,” Mark Larson, commissioner of the Department of Vermont Health Access, said of his testimony Nov. 5 to the Vermont House Health Care Committee.
“I responded that no situation had occurred where somebody’s private information had been breached,” he added in a letter of apology to the committee’s chairman, State Representative Mike Fisher. The letter was dated Sunday and made public Monday.
In a statement Monday, Governor Peter Shumlin (D) said he had been briefed on the security breach, which investigators said was neither intentional nor malicious. Shumlin criticized Larson for the misleading testimony.
“I take this incident extremely seriously. It is unacceptable to be anything less than fully cooperative and transparent with Vermonters and their elected representatives in the Legislature. I am tremendously disappointed in Commissioner Larson’s lapse of judgment in this matter,” Shumlin said. “This incident was promptly identified and resolved, and I was disappointed to learn that Commissioner Larson did not adequately disclose the circumstances of it when asked about this topic in committee earlier this month.”
Vermont’s health exchange has been one of the more successful efforts to enroll those eligible for care. The State said that by Nov. 10 it had signed up 3,500 people, about 12 percent of those expected to enroll, according to a study by Avalere Health cited by NBC News.