For the second time in two months, a user of the Vermont Health Connect website gained access to someone elseโs personal information.
Mark Larson, commissioner of the Department of Vermont Health Access, told lawmakers the incident, which occurred Friday, was caused by human error.
Larson โ who was publicly reprimanded by Gov. Peter Shumlin and House Speaker Shap Smith for failing to disclose the previous breach โ shared the news during a House Health Care Oversight meeting Tuesday.
The incident, according to Larson, was limited to two individuals with the same first and last names, and it was the result of a human error, not an issue with technology or hacking.
Larson described the event as a โprivacy incident,โ emphasizing that it did not constitute a โsecurity breachโ because no one broke into the system.
What happened, according to Larson, is that one user called a customer service representative to make a change to their application. The representative accidentally attached another userโs personal information to this callerโs account in the process of documenting their request.
The caller later noticed that another personโs information had been included in their account. They immediately notified the department, and DVHA reported the incident to the Centers for Medicare and Medicaid Services on Saturday. According to the incident report, โthe caller was able to view the other customerโs address, email and phone number and when individual clicked on my applications they were able to view the other Individualโs summary of benefits page.โ
The first incident, on Oct. 17, involved two participants who registered with the same user name.
Asked whether he could assure Vermonters that a similar event wonโt occur in future, Larson said: โWeโll do a review of all of our procedures to see if there are more steps that we can take. It is unique to have two people with the exact same name.โ
Larson didnโt waste time letting lawmakers know โ he sent a memo Monday, describing the incident and assuring them it was an isolated occasion. The three-paragraph briefing concludes, โIn responding to this incident, all privacy protocols were followed. VHC has reported the incident to CMS and has communicated with both individuals involved. VHC is also making every effort to ensure that the Customer Support Center procedures are sufficiently detailed and VHC workers are adequately trained to avoid any such incidents in the future.โ
The sole question from lawmakers Tuesday came from Sen. Sally Fox, D-Chittenden, who wanted to know whether Vermont Health Connect users have to provide information, in addition to their names, to verify their identity on the phone. People are required to answer security questions, Larson said. The incident occurred after the questions were asked.
โWe are not raising it because we feel there is a risk to other Vermont Health Connect users,โ Larson told the committee.
House Minority Leader Don Turner, R-Milton, wasnโt appeased by Larsonโs reassurances.
โI absolutely have concerns,โ Turner said Tuesday. โThis is the second time one of these โisolatedโ security breaches have occurred, and we are getting the same story a second time โ that it won’t happen again, that itโs a minor event.โ
Turner also contested Larsonโs statement, which indicated that itโs rare for two people to share the same name.
โThereโs another guy in Jericho with the same name as mine,โ Turner said. โLook in the phone book under Smith.โ
Larson deferred to Department of Information and Innovation (DII) Commissioner Richard Boes to describe what the state is doing to shield Vermont Health Connect from security breaches.
โWe are going through a very thorough review process of all of CGIโs security,โ Boes assured the committee.
While Larson has been a frequent guest at health care committee meetings, some members of the Oversight Committee were unclear about the role DII plays in overseeing the exchange.
DIIโs responsibilities arenโt written into the stateโs contract with CGI, but state law requires the department to oversee IT projects, and theyโve been involved since the beginning, Boes explained. One person, in particular, the Chief Information Security Officer, Nick Waringa, is charged with monitoring the security of โall state systems.โ
Part of the stateโs contract calls for a security audit to be carried out by a third party. That audit is complete and was submitted to DII on Monday, but it wonโt be released to the public because it contains sensitive security information, Boes said.
According to Boes, the report hasnโt uncovered anything alarming โ โThere are multiple findings in this report but many are about dotting Iโs and crossing Tโs.โ
The contract requires CGI to respond to the findings with a plan of action for each item, and CMS mandates that โhigh riskโ issues be addressed by Jan. 31.
The audit findings arenโt identified by priority level, and DII has just begun sifting through the report.
โThere may be more serious audit items in there, but until we do a thorough analysis of that report, we do not have prioritization of those items,โ Boes added.
Editor’s note: This article was updated at 5:19 p.m.
