Gov. Peter Shumlin said Monday he is “tremendously disappointed” that his top health care official, Mark Larson, misled lawmakers about a security breach in the state’s online health insurance exchange system.
At a House Health Care Committee meeting Nov. 5, Rep. Mary Morrissey, R-Bennington, directly asked Larson, who is commissioner of the Department of Vermont Health Access, if there had been any security breaches with Vermont Health Connect.
Larson told her there hadn’t, failing to disclose an incident on Oct. 17 in which one user was able to access another user’s Social Security information.
Associated Press reporter Dave Gram broke the news — and the fact that Larson had glossed over it — in a story published Friday.
Shumlin, who said he first learned of Larson’s blunder “by reading about it in the press,” issued a harshly worded reprimand Monday morning. (Shumlin was briefed about the actual security breach shortly after it happened.)
“It is unacceptable to be anything less than fully cooperative and transparent with Vermonters and their elected representatives in the Legislature,” Shumlin said in a statement. “I am tremendously disappointed in Commissioner Larson’s lapse of judgment in this matter.”
The governor, who has touted his administration’s transparency with the public and the press, pledged that his administration wouldn’t withhold information in the future.
“The legislators in Montpelier represent the Vermonters we are all elected to serve, and they have a right to have their questions answered fully,” he said. “That did not happen in this case, and I have made clear to Mark and other members of my administration that it must never happen again.”
The governor gave a gentler reproach at an unrelated news conference on Monday. He said he continues to have “absolute confidence” in the commissioner and has no plans to fire him.
“It’s a small state,” he said. “We all know that people make mistakes. We all know Mark Larson well. I never asked him to do anything except to continue to do the work he’s doing to get Vermont Health Connect working properly.”
Shumlin defended the candor of his entire Cabinet during the rollout of Vermont Health Connect. “I think that Commissioner Larson and I and the entire team have been candid with all the information we have. We tell you the information when we get it,” he said.
Asked if his administration will inform the public of any future security breaches, Shumlin responded: “Absolutely.”
Two days after Gram’s story, Larson sent a letter of apology to the House Health Care Committee, acknowledging that he had not been candid about the incident. Larson said, above all, he’s worried his mistake will sow “unnecessary doubts” about the security of Vermont Health Connect.
House Speaker Shap Smith said Larson’s misstep might have cost him his credibility in the Legislature.
In another scathing rebuke sent Monday, Smith said, “I have spoken with Commissioner Larson and Governor Shumlin and have shared with them my view that a breach such as this will undermine Commissioner Larson’s ability to be an effective representative for the administration in the Legislature. It is now incumbent on Commissioner Larson to work to rebuild the trust he once had with his legislative colleagues.”
House Health Care Committee Chairman Rep. Mike Fisher, D-Lincoln, said, “He obviously did not answer a specific question accurately to the Health Care Committee, and that’s a really big deal.”
But like Larson, Fisher said his greatest concern is that the incident will stir up unfounded concerns about the exchange’s security that will deter people from using the website to sign up for insurance.
Shumlin and Larson have emphasized that the Oct. 17 incident, in which one user was able to access another’s user’s personal information, stemmed from an internal error and was not the result of external hacking. The administration filed a report, as required, to the Centers for Medicare and Medicaid Services (CMS) and Shumlin and Larson say the problem has been fixed and no other incidents have occurred.
“It wasn’t the kind of security breach that frankly CMS and we would be really concerned about in terms of people trying to manipulate the system and get information that wasn’t theirs,” Shumlin said.
The breach — technically classified as an “unintended electronic disclosure” — came to light in an unusual way. According to the CMS report filed by DVHA, a user received an anonymous piece of mail that contained their application for health insurance, Social Security number included, along with a hand-written message that read, “VERMONT HEALTH CONNECT IS NOT A SECURE WEBSITE.”
DVHA officials reported that they “investigated immediately and determined that two accounts were linked via a recycled username and it was possible for a brief period of time that the two username holders could access the same information.”
For the first time, officials provided more details about the cause of the delay in setting up the payment function of the exchange: security concerns. DVHA is “triple checking” to ensure people’s credit card information is secure before launching that piece of the system, Shumlin said.
Morrissey said she had heard concerns from a navigator group, which prompted her to ask Larson about the security of the exchange on Nov. 5. The commissioner’s response, she said, marked a “real breach in transparency and accountability.”
Morrissey said Larson’s sidestep of her question is part of a trend — she pointed out that one of her fellow committee members, Rep. Chris Pearson, P-Burlington, had criticized the commissioner at the same Nov. 5 meeting for “sugarcoating” earlier problems with Vermont Health Connect.
This article was updated at 5:02 p.m. Monday and 5:47 a.m. Nov. 26.