For the second time in two months, a user of the Vermont Health Connect website gained access to someone else’s personal information.
Mark Larson, commissioner of the Department of Vermont Health Access, told lawmakers the incident, which occurred Friday, was caused by human error.
Larson — who was publicly reprimanded by Gov. Peter Shumlin and House Speaker Shap Smith for failing to disclose the previous breach — shared the news during a House Health Care Oversight meeting Tuesday.
The incident, according to Larson, was limited to two individuals with the same first and last names, and it was the result of a human error, not an issue with technology or hacking.
Larson described the event as a “privacy incident,” emphasizing that it did not constitute a “security breach” because no one broke into the system.
What happened, according to Larson, is that one user called a customer service representative to make a change to their application. The representative accidentally attached another user’s personal information to this caller’s account in the process of documenting their request.
The caller later noticed that another person’s information had been included in their account. They immediately notified the department, and DVHA reported the incident to the Centers for Medicare and Medicaid Services on Saturday. According to the incident report, “the caller was able to view the other customer’s address, email and phone number and when individual clicked on my applications they were able to view the other Individual’s summary of benefits page.”
The first incident, on Oct. 17, involved two participants who registered with the same user name.
Asked whether he could assure Vermonters that a similar event won’t occur in future, Larson said: “We’ll do a review of all of our procedures to see if there are more steps that we can take. It is unique to have two people with the exact same name.”
Larson didn’t waste time letting lawmakers know — he sent a memo Monday, describing the incident and assuring them it was an isolated occasion. The three-paragraph briefing concludes, “In responding to this incident, all privacy protocols were followed. VHC has reported the incident to CMS and has communicated with both individuals involved. VHC is also making every effort to ensure that the Customer Support Center procedures are sufficiently detailed and VHC workers are adequately trained to avoid any such incidents in the future.”
The sole question from lawmakers Tuesday came from Sen. Sally Fox, D-Chittenden, who wanted to know whether Vermont Health Connect users have to provide information, in addition to their names, to verify their identity on the phone. People are required to answer security questions, Larson said. The incident occurred after the questions were asked.
“We are not raising it because we feel there is a risk to other Vermont Health Connect users,” Larson told the committee.
House Minority Leader Don Turner, R-Milton, wasn’t appeased by Larson’s reassurances.
“I absolutely have concerns,” Turner said Tuesday. “This is the second time one of these ‘isolated’ security breaches have occurred, and we are getting the same story a second time — that it won’t happen again, that it’s a minor event.”
Turner also contested Larson’s statement, which indicated that it’s rare for two people to share the same name.
“There’s another guy in Jericho with the same name as mine,” Turner said. “Look in the phone book under Smith.”
Larson deferred to Department of Information and Innovation (DII) Commissioner Richard Boes to describe what the state is doing to shield Vermont Health Connect from security breaches.
“We are going through a very thorough review process of all of CGI’s security,” Boes assured the committee.
While Larson has been a frequent guest at health care committee meetings, some members of the Oversight Committee were unclear about the role DII plays in overseeing the exchange.
DII’s responsibilities aren’t written into the state’s contract with CGI, but state law requires the department to oversee IT projects, and they’ve been involved since the beginning, Boes explained. One person, in particular, the Chief Information Security Officer, Nick Waringa, is charged with monitoring the security of “all state systems.”
Part of the state’s contract calls for a security audit to be carried out by a third party. That audit is complete and was submitted to DII on Monday, but it won’t be released to the public because it contains sensitive security information, Boes said.
According to Boes, the report hasn’t uncovered anything alarming — “There are multiple findings in this report but many are about dotting I’s and crossing T’s.”
The contract requires CGI to respond to the findings with a plan of action for each item, and CMS mandates that “high risk” issues be addressed by Jan. 31.
The audit findings aren’t identified by priority level, and DII has just begun sifting through the report.
“There may be more serious audit items in there, but until we do a thorough analysis of that report, we do not have prioritization of those items,” Boes added.
Editor’s note: This article was updated at 5:19 p.m.