State Sen. Kevin Kelly (R-21), ranking member of the General Assembly’s Insurance and Real Estate Committee, Tuesday called for Access Health CT’s call center vendor Maximus to supply a complete account of current security policies and protocols to the legislature’s Insurance Committee. His demands are in response to the security breach uncovered on Friday.
“What disturbs me most about this situation is the timeline. The employee responsible for this egregious error did not come forward until after the news reported on the situation,” said Kelly. “I’m sure he realized almost immediately that he lost his backpack. But did he even go back to look for it? What we do know is that he did not let his supervisors know he lost highly sensitive information that jeopardized hundreds of people’s personal data. Instead, he waited over 24 hours to come forward and only after the press reported finding the backpack. The timeline raises serious questions about not only Maximus’s preventative protections, but also their crisis response procedures.”
Considering possible remedies to this situation, Kelly pointed to a previous legislative attempt to safeguard consumer information that was defeated earlier this year. Senate Bill 276 would have required Access Health CT to report quarterly on, “the status of the exchange’s data privacy protections and the exchange’s success rate in ensuring that personally identifiable information is not released.” The Insurance Committee took no action on the bill after the public hearing on March 4.
In a release from Kelly’s office it quoted Kevin Counihan, CEO of Access Health CT, in testimony about the bill:
“We already have in place an active and transparent communication process to track and relay information on any real or potential PII [personally identifiable information] issues, which complies with all current state and federal requirements … the mandated requirements in this bill pose an enormous burden on our organization in both staff time and financial resources.”
In a press conference Monday, a Maximus spokesperson spoke about ways their own staff will remedy the situation and described shifting to a paperless office in which dry erase boards would replace pen and paper, according to Kelly’s office.
“Are dry erase boards really the best solution a leading worldwide company can offer us?” said Kelly. “It is time to revisit legislative action and our past concerns. We need to enact safeguards so there is no single point of failure. Dry erase boards do not cure the problem. We have to think bigger than that.”