Connecticut's Obamacare exchange on Saturday night issued an updated statement on the data breach.
The Access Health CT exchange said that the notepads found in a backpack left on a street near the exchange, which contained personal information of about 400 people, "appear to belong to an employee of Maximus, the vendor providing call center services" to the exchange.
"Close examination of the data is indicating that fewer than 200 Social Security numbers were contained," said the exchange's chief operating officer. "While the investigation as to the source of the breach continues, Access Health CT has begun calling individuals whose names were handwritten on the work papers to inform them of this potential breach. "
The exchange said consumers will be offered, at no cost to them ''credit monitoring, fraud resolution, identity theft insurance, and security freezes of credit reports."
"As we said yesterday, we are sorry this happened. This is a serious situation that we are working to rectify as quickly as possible, and we'll do whatever is necessary to try to prevent it from happening."
Officials in Connecticut are investigating what could be the first known case of ID theft related to Obamacare enrollment information, it was revealed Friday.
As many as 400 people enrolled in Connecticut's state-run Obamacare exchange may have had their Social Security numbers and other personal information stolen, officials said Friday afternoon.
The "very serious" data breach came to light Friday when a person found a backpack on a street in downtown Hartford, the state's capital, which contained "four notepads with personal information for approximately 400 individuals," according to Kevin Counihan, CEO of the Access Health CT exchange. Access Health is located on the street where the backpack was found with the handwritten notes.
"The backpack also contained Access Health CT paperwork and it appears that some of that personal information may be associated with Access Health CT accounts," said Counihan.
"It is still unclear where that backpack came from, and we are working with the Hartford Police Department to investigate, and contact the individuals whose information may be compromised," he said.
Counihan called it a "potential issue of identity theft."
Deputy Hartford Police Chief Brian Foley said cops went to Access Health CT offices at around 2:15 p.m. to meet with an official there "regarding an employee possibly taking customers personal information."
Notes in the backpack included "possible customer information for Access Health CT, including people's names, dates of birth, and some Social Security numbers," Foley said, adding "It is unknown if anybody's personal information was compromised."
Counihan said the exchange's legal department is in the process of notifying state and federal officials about the breach, as required.
"Let me be clear," Counihan said. "We are sorry this happened. This is a very serious situation and we will hold the person or persons who are responsible to account."
"We will work tirelessly until we have remedied this problem and can prevent any such reoccurrence."
Aaron Albright, a spokesman for the federal Centers for Medicare and Medicaid Services, said: "This situation does not involve consumers who have used HealthCare.gov. We are in contact with Connecticut and the state is providing updates on this incident."
HealthCare.gov is the federally run Obamacare exchange, serving 36 states.
Last fall, before the launch of the Obamacare enrollment, an employee of Minnesota's state-run exchange MNSure accidentally sent an email to an insurance broker containing the Social Security numbers of more than 2,400 insurance agents, as well as their names, business addresses and other personal information.
In early December, it was revealed that California's exchange, Covered California, had given insurance agents the names and addresses of tens of thousands of people who had shopped for health plans on that marketplace, but not indicated they wanted to be contacted by agents.
Covered California officials at the time defended that move as legal and proper.
The new incident in Connecticut is a rare black eye for the Nutmeg State's Obamacare exchange, which is considered one of the best of the 15 Affordable Care Act marketplaces operated by individual states and the District of Columbia.
Connecticut's exchange was considered such a success that even before the end of the recently closed open-enrollment period for Obamacare health plans, Counihan in February announced plans sell Access Health CT's exchange infrastructure to other exchanges.
Maryland's badly flawed exchange in March said it planned to use Connecticut's exchange platform to replace its own.
The possible data theft in Connecticut came to light a day after Access Health CT announced a new mobile application for smartphone and iPad users will help people shop for health insurance using those devices.
—By CNBC's Dan Mangan.