Obamacare data breaches sure do make for strange bedfellows.
An unidentified man who found the information of more than 400 health-care exchange enrollees in a backpack at a Hartford deli first contacted a Republican legislator, a GOP lawmaker revealed Monday.
A spokesman for state House Republican leader Lawrence Cafero Jr., conceded it was eyebrow-raising that the person first informed the leading critics of the state's health-care exchange. But he attributed it to the fact that the man lived in a district represented by a GOP caucus member, and noticed the data appeared connected to a health-care organization.
Also Monday, Maximus, the call center vendor for Connecticut's health-care exchange whose worker admitted to owning that backpack, said the employee "made a mistake" and "misplaced" the backpack after taking it from the exchange's offices.
Management at the exchange—who said the policy is to shred notes containing information about enrollees by the end of each day—now are being given erasable boards to take such notes while helping a person navigate the application and enrollment process.
Cafero blasted Connecticut's exchange for an "appalling lack of oversight" that led to the incident, which is the first known breach of enrollment data since the launch of the health insurance marketplaces.
Cafero also said that exchange officials had minimized the risk of such a breach in recent months.
Hartford's police department wrote in a statement, "This incident is under investigation by the Hartford Police Department Major Crimes Division fraud detectives. We are working cooperatively with Federal resources through this investigation.
This is an active investigation and released details will be very limited. Potentially, personal information may have been compromised. Access Health CT is taking measures to protect any possible victims as well as working with our investigators."
Cafero released new information Monday about the situation after exchange officials announced that the worker had been suspended pending an investigation.
It was already known late last week that names, addresses, birth dates and Social Security numbers of several hundred enrollees were found handwritten on four notepads inside the backpack.
Exchange officials on Monday said that there was information about 413 enrollees on the pads, including the Social Security numbers for 151 of them.
A chain of events
Cafero's office said a man on Thursday had spotted the backpack underneath a table outside at the New York Deli & More on Trumbull Street.
He then took it to the owner of the deli and "said 'I found this, do you want this thing?' and the owner says 'I don't want anything to do with this thing,'" said Cafero's spokesman Pat O'Neil.
The man then reached out to the House GOP's office at the state General Assembly, apparently because he lives in state Republican Rep. Jay Case's district, in Winsted, Cafero said. The man left a voicemail, but that message was not retrieved by staff until Friday.
After hearing the message, a staffer for the Republican caucus then contacted Access Health CT director Kevin Counihan about the backpack, and it was returned to the exchange.
Counihan disclosed the breach on Friday afternoon.
Seeing news coverage of the breach, the Maximus worker came forward and admitted that the notepads belonged to him. According to both the exchange and Maxmius, the worker had taken the pads outside of the exchange offices in violation of security protocols.
"While we are still working to understand exactly why this person took the information out of the building, based on what we have learned so far, it does not appear there was malfeasance on the part of this person," said Jason Madrak, chief marketing officer of the Access Health CT exchange.
The unidentified worker has been placed on administrative leave and has had all system privileges revoked, according to Madrak.
Madrak also said, "The notes found on the pads are consistent with the kind that are sometimes made by call center representatives when they service clients in the enrollment process."
Despite that statement, Cafero said, "It strikes me as odd that someone felt compelled to compile the data into a notebook and take it from the intake offices."
"This disturbing development highlights the concerns we raised three months ago during a hearing that we were afraid something like this might happen," Cafero said. We were told by Access Health CT overseers that our proposals for background checks and other safeguards were not needed, that the security situation was in hand. Clearly, this was not the case."
Cafero, who noted that Republicans were concerned about the potential for identity theft, said that GOP-proposed legislation that would have included mandating background checks for workers in the application processing office were rejected by Access Health CT and Democratic lawmakers.
In a prepared statement, Maximus said, the company "takes full responsibility for this incident, and we regret any concern that this has caused Access Health CT consumers. Protecting citizens' private information is our No. 1 priority, and we will be notifying all affected individuals to offer them free fraud prevention services to help ensure peace of mind."
"We are also reinforcing security and training policies and procedures to help ensure that this does not happen again."
Maximus also said the company conducts criminal background checks for prospective employees and also trains workers in handling personal data.
"The person involved in this incident had cleared all required background checks and training before beginning work in the Access Health CT customer contact center," Maximus said. "The team member violated company policy, which strictly prohibits the removal of personal data."
Connecticut's health-care marketplace is considered among the country's most successful. Under the health-care law, people can enroll in private health insurance plans or check their Medicaid eligibillty as part of the mandate that nearly all Americans obtain some form of health coverage this year or pay a fine.
In February, Counihan said Access Health CT would look to franchise its exchange platform to other states.
Maryland, whose own exchange floundered during the open-enrollment period, plans to use Connecticut's exchange system to replace its own.
—The Associated Press contributed to this report.