ST. PAUL, Minn. (AP) — In a Sept. 20 story about the Minnesota health insurance exchange's accidental release of private information, The Associated Press erroneously reported that insurance agents' driver's license numbers had been released. The numbers of their state-issued insurance agent licenses were released, not their driver's license numbers.
A corrected version of the story is below:
MNsure parts ways with employee in security breach
MNsure parts ways with employee who released private info; mishap prompts security review
By PATRICK CONDON
ST. PAUL, Minn. (AP) — An employee of Minnesota's health insurance exchange no longer works there after releasing private information about insurance agents.
MNsure executive director April Todd-Malmlov told the agency's board of directors Friday that the employee violated internal policy by storing unencrypted personal information about Minnesota insurance agents on a computer desktop.
Todd-Malmlov said human resources requirements prevent her from revealing whether the employee was fired or transferred to another state agency.
Last week, the worker inadvertently emailed information including Social Security numbers to an insurance agent in Burnsville, prompting MNsure officials to quickly secure the information and alleviate concerns about privacy of personal information as they prepare to deliver health care to Minnesota residents under the federal overhaul.
The agency said the private information pertained to about 1,600 agents, not 2,400 as originally reported. A memo to board members said some of the names on an initial list were duplicates.
When the mistake came to light, MNsure security officials worked with the agent who received the email to make sure he deleted it permanently from his computer.
Todd-Malmlov said MNsure employees dealing with classified data received specific training and had to pass a test in order to get access to the data.
MNsure is now conducting what Todd-Malmlov described as a "unit by unit, workstation by workstation" review to make sure that all employees are following security policies and procedures. The agency will also seek an independent review to identify contributing factors and identify policies or procedures that could prevent similar incidents in the future.
MNsure board member Phil Norgaard said he was confident that what happened was "a human resources problem, not necessarily an IT problem."
Todd-Malmlov also stressed that none of the information accidentally released had been entered through MNsure's customer portal, which goes live Oct. 1.
Kathryn Duevel, another board member, said she wants the agency to take steps to make sure that prospective MNsure customers can be confident their personal information is safe when they enroll.
"We have to give people reassurances that they can feel comfortable applying for MNsure," Duevel said. "Because they're going to be understandably worried."
A legislative panel that oversees MNsure's operations is meeting Tuesday to further discuss concerns raised by the security breach.