The Name is MNsure, Not MNsecure

It hasn’t really even opened for business yet, but in a hardly shocking turn of events our new overlords at MNSure have already managed to screw the pooch:

A MNsure employee accidentally sent an e-mail file to an Apple Valley insurance broker’s office on Thursday that contained Social Security numbers, names, business addresses and other identifying information on more than 2,400 insurance agents.

An official at MNsure, the state’s new online health insurance exchange, acknowledged it had mishandled private data. A MNsure security manager called the broker, Jim Koester, and walked him and his assistant through a process of deleting the file from their computer hard drives.

Koester said he willingly complied, but was unnerved.

“The more I thought about it, the more troubled I was,” he said. “What if this had fallen into the wrong hands? It’s scary. If this is happening now, how can clients of MNsure be confident their data is safe?”

They can’t be confident of it. Fortunately, Koester is an honest man. You can expect to see more of this sort of thing happening, because there’s a big rush of data gathering going on to get MNsure and the other health care exchanges up and running in time to comply with the deadlines set out by the Obamacare law, which are approaching quickly:

Users of the exchange will need to provide sensitive information, including Social Security numbers, that will be sent to a federal hub to verify such things as citizenship and household income. This information will determine whether consumers using MNsure qualify for public health programs or tax credits that will lower the cost of premiums.

All states and the federal government, which also is setting up exchanges for some states, are scurrying to get the complex system running in less than three weeks.

How comfortable are you about disclosing all this information? At least one local obsever isn’t very confident at all:

“The people who believe in this are so driven that there’s a subcontext of ‘Just let us do our job and get as many people signed up as possible, and we’ll pick up the debris later,’ ” said Steve Parente, a University of Minnesota finance professor who specializes in health IT issues.

Parente testified on Capitol Hill earlier this week, urging caution in pushing the federal hub online before it has been thoroughly tested. 

Working with digital data “is a convenient and simple convention to move things along,” Parente said. “But the downside is that it can have unintended consequences. It takes time to parse and curate and edit. You can’t do that if you’re in a rush.”

For his part, Koester, the agent who received the file, is very troubled by it all:

Koester, the agent, had been working with MNsure staff because he was having trouble registering for classes to get trained as a certified “navigator” to help people sign up for coverage.

Koester said there had been some back-and-forth with a MNsure staffer when he received an e-mail and attachment that took him by surprise: page after page of names, business addresses, license numbers and Social Security numbers.

MNsure was collecting Social Security numbers so that the Department of Commerce could count the navigator’s training as part of the brokers’ state-mandated continuing eduction credits, according to the officials.

As soon as the MNsure staffer realized the mistake, she called Koester to ask him and his assistant to delete the file. MNsure manager Krista Fink followed up with more detailed instructions.

“She didn’t tiptoe through the tulips; she was very serious,” Koester said. “But the gorilla in the room is that they sent me something that’s not even encrypted. It’s unsecured, on an Excel spreadsheet — which is using outdated technology to transfer that information in the first place. They’ve got to realize they have a huge problem.”

Not just “they,” Mr. Koester. Get ready, kids. This is gonna be ugly.

Cross-posted and comments welcome at Mr. Dilettante’s Neighborhood.