A state audit of the Connecticut Health Insurance Exchange found 44 unreported data breaches from July 2017 to March 2021.
The exchange failed to follow state law, which requires quasi-public agencies to report breaches of members' personal information to the Connecticut Auditors of Public Accounts and the state comptroller, according to the March 1 report.
The audit says "the exchange did not take sufficient actions to ensure the confidentiality, integrity and security of client data."
One breach included a phishing scam that affected 1,100 members. One of the exchange's contractors accounted for 34 breaches, and five other entities were responsible for the remaining 10 breaches.
The contractor responsible for the 34 breaches is call center vendor Faneuil, according to an April 3 article by CT Insider.
In the audit, the exchange said it is implementing new security protocols and will comply with additional reporting requirements:
"The Exchange recognizes the importance of strong information security controls especially given the sensitive nature of data the Health Insurance Exchange systems process and store. The Exchange monitors vendor compliance with security requirements and is implementing additional protocols to monitor compliance and improve vendor security practices. The Exchange requires any vendor causing a breach to cover the cost of two-years of security monitoring for clients who experienced a breach, and requires vendors to maintain sufficient liability insurance in case of a breach. The Exchange is currently working with two third-party vendors to assist with the implementation of a Risk Management Framework to provide comprehensive visibility and oversight into compliance with information security controls. The Exchange complies with statutory reporting requirements, and will comply with additional reporting requirements."