Sen. Kelly Calls for Full Transparency from Access Health CT Vendor
June 11, 2014Hartford – State Senator Kevin Kelly (R-21), Ranking Member of the General Assembly’s Insurance and Real Estate Committee, today called for Access Health CT’s call center vendor Maximus to supply a complete account of current security policies and protocols to the legislature’s Insurance Committee. His demands are in response to the security breach uncovered on Friday.
“What disturbs me most about this situation is the timeline. The employee responsible for this egregious error did not come forward until after the news reported on the situation,” said Senator Kelly. “I’m sure he realized almost immediately that he lost his backpack. But did he even go back to look for it? What we do know is that he did not let his supervisors know he lost highly sensitive information that jeopardized hundreds of people’s personal data. Instead, he waited over 24 hours to come forward and only after the press reported finding the backpack. The timeline raises serious questions about not only Maximus’s preventative protections, but also their crisis response procedures.”
Senator Kelly is asking for complete transparency from Maximus so that officials, including the state legislature, can fully understand how this information made it out of the building in the first place and take actions necessary to prevent such breaches from happening again.
“My concern is that people who don’t have insurance will use this as one more excuse not to get it. As a lawmaker, it is my responsibility, along with my colleagues, to secure the consumer protections the people of Connecticut deserve. We cannot guarantee that people will be protected, and we cannot brush this off as an isolated incident, until we have full disclosure of what went wrong. We need to understand why it took so long to realize sensitive information was removed from the Maximus office.”
Considering possible remedies to this situation, Senator Kelly pointed to a previous legislative attempt to safeguard consumer information that was defeated earlier this year. Senate Bill 276 would have required Access Health CT to report quarterly on, “the status of the exchange’s data privacy protections and the exchange’s success rate in ensuring that personally identifiable information is not released.” The Insurance Committee took no action on the bill after the public hearing on March 4.
In his testimony against the proposed bill, Kevin Counihan, CEO of Access Health CT stated:
“We already have in place an active and transparent communication process to track and relay information on any real or potential PII [personally identifiable information] issues, which complies with all current state and federal requirements…the mandated requirements in this bill pose an enormous burden on our organization in both staff time and financial resources.”
Senator Kelly disagrees because it is apparent that state requirements are insufficient to protect private consumer information.
In a press conference yesterday, a Maximus spokesperson talked about ways their own staff will remedy the situation and described shifting to a paperless office in which dry erase boards would replace pen and paper.
“Are dry erase boards really the best solution a leading worldwide company can offer us?” said Senator Kelly. “It is time to revisit legislative action and our past concerns. We need to enact safeguards so there is no single point of failure. Dry erase boards do not cure the problem. We have to think bigger than that.”