A state auditor has found that Connecticut’s health insurance exchange failed to report the multiple cybersecurity breaches it had suffered over the course of five years - and that the platform should do more to safeguard users’ data.
According to the Connecticut State Auditors of Public Accounts, the health insurance exchange Access Health CT was the target of 44 data breaches between July 2017 and March 2021, in addition to a phishing scam that affected 1,100 individuals. However, these 44 breaches were not reported to the auditor or Connecticut’s Comptroller’s Office as required by law.
It was also found that of the 44 data breaches auditors found – which were reported to the attorney general, but not to other state authorities – 34 were related to Access Health CT’s call center vendor, Faneuil.
Faneuil continues to administer Access Health CT’s call center, and three more breaches involving the center have been reported this year, according to the New Haven Register.
State Auditor John Geragosian also assessed the health insurance exchange’s IT security policies and found them wanting.
“Internal controls were not adequate to prevent the breaches of client data,” Geragosian said in a statement.
Access Health CT spokesperson Kathleen Tallarita said in a statement that most of the breaches were small and affected only one consumer at a time. Tallarita added that the agency has hired a cybersecurity firm to implement a stronger cybersecurity framework.
Based on information from the Connecticut Attorney General, Access Health CT reported a total of 110 breaches between 2013 and 2020.