Wednesday, April 16, 2014
By Dave Gram
The Associated Press
MONTPELIER, Vt. — The state official overseeing the Vermont Health Connect insurance exchange issued three notifications about a mid-October security lapse on the exchange website before telling a legislative committee that such a lapse had not happened.
Mark Larson, commissioner of the Department of Vermont Health Access, directed staff to notify the federal Centers for Medicare and Medicaid Services of the problem Oct. 17, in accordance with CMS rules, and the attorney general’s office the following week, in accordance with state law, he told The Associated Press on Friday.
Larson said he also notified Gov. Peter Shumlin’s office shortly after the breach occurred.
The reports appear to raise questions about Larson’s assertion this past week – and similar statements by Shumlin – that the incident didn’t seem significant enough to mention when Larson was asked at a legislative hearing Nov. 5 whether there had been any unauthorized disclosures of private information through the website.
The Oct. 17 report to CMS said a consumer had contacted Vermont Health Connect to say he had received in the mail a copy of his own application for insurance under the state exchange that included his Social Security number and other private information.
“On the back of the envelope was hand-written ‘VERMONT HEALTH CONNECT IS NOT A SECURE WEBSITE!’ This was also (written) on the back of the last page of the printed out application,” said the incident report.
Larson has been under fire – and has apologized repeatedly – since Nov. 22, when the AP reported that it had obtained a copy of the CMS report after a request under Vermont’s public records law and that Larson had denied at the hearing that any security breaches had occurred. On Monday, both Shumlin and House Speaker Shap Smith issued statements saying they found Larson’s misstatements to the House committee “unacceptable.”
“I failed to disclose this in answer to questioning because it did not occur to me at the time that it was responsive” to the questions from Rep. Mary Morrissey, R-Bennington and a member of the House Health Care Committee, Larson wrote in a Nov. 24 letter of apology to the committee’s chairman, Rep. Mike Fisher.
“This single incident did not result from an external breach or result in an actual misuse of private information,” Larson added. “It was limited to an inadvertent sharing of information between two individuals, rather than a broader, purposeful or improper data breach, and it did not require further action or public reporting under either CMS rules or state law.”
Shumlin also downplayed the significance of the security lapse as he both criticized and defended Larson for failing to disclose it to the House committee, noting that CMS had investigated the incident and closed its probe.
“So we reported it way back when. CMS said, ‘Yeah, this doesn’t rise to the level of concern,’ and I think that was how Mark understood the question. That’s what he was focused on in his answer,” Shumlin said Monday.
On Wednesday, Larson said in a voicemail left for an AP reporter that his office had reported the October incident not just to CMS but also to the office of Attorney General Bill Sorrell. In Friday’s interview, he added that he had also notified Shumlin’s office after it occurred.
Darcie Johnston, head of Vermonters for Health Care Freedom and a frequent critic of the state’s health system overhaul efforts, asked in an interview, “Why was it important enough to tell the governor at the time and not important enough to answer Mary Morrissey’s question three weeks later?”
At the Nov. 5 hearing, Morrissey asked Larson, “Have we had any security failures in Vermont within the system?”
He replied, “We have found no situation where somebody’s private information has been breached.”