The Breach in the Ointment of the Affordable Care Act
While certainly not one of the most significant breaches we’ve seen in recent memory in terms of sheer data loss size, this breach has the power to become leverage in one of the most divisive political battles of our time: the Affordable Care Act. Last week an employee of MNsure, the state of Minnesota’s new health insurance exchange (HIX), caused the data breach by sending an email with an Excel spreadsheet attachment containing the personal information of 2,400 insurance agents.
MNsure’s errant email incident immediately raises the general question of personal information security within the local exchanges, especially given the fact that the exchanges are scheduled to launch soon, allowing select US buyers to start comparing healthcare options. That launch date is set for Oct. 1 – just fifteen days from now.
With the help of many different information security technologies – many of them very basic and in wide use today across healthcare organizations – this breach could easily have been avoided.
Among available technologies are data loss prevention (DLP) enforcement technologies, which have the ability to accurately detect the presence of personally identifiable information (PII) and then take appropriate action on a per-policy basis. Through remediative action, this email could have been blocked outright, with notifications going to both the sender and select administrators, explaining the email was blocked, why it was blocked and what to do next. Alternatively, DLP policies can also quarantine email pending further review or force email through an encryption process to secure its contents.
The fact that this stray email made it past widely-used and generally-accepted IT security best practices and enforcement technologies should cause serious concern as to whether MNsure – or any health insurance exchange for that matter – will have appropriate technologies in place to protect personal information in time for the Oct. 1 scheduled launch.
Will the health insurance exchanges be ready to serve the public, without also serving up the public’s personal information on a silver platter?