Yesterday, the State’s Auditors of Public Accounts released an audit of the Connecticut Health Insurance Exchange that revealed data breaches of clients’ personal information, lax departmental oversight, and failure to properly background check employees.

“Our audit identified internal control deficiencies; instances of noncompliance with laws, regulations, or policies; and a need for improvement in practices and procedures that warrant management’s attention,” read the auditors’ report.

The Exchange, also known as Access Health Connecticut, is a quasi-public organization that runs the State’s health insurance marketplace in accordance with the Affordable Care Act. It provides uninsured Connecticut residents and small businesses with insurance eligibility information and allows them to shop for eligible plans. It also serves as a portal for low-income residents and families to apply for Medicaid and the Children’s Health Insurance Program. According to their website, 129,895 residents have signed up for health plans through the Exchange in 2024.

The audit, which studied the Exchange between the years of 2020 and 2021, found that the Exchange suffered 51 data breaches of clients’ personal information, one of which exposed 160 clients’ information, and three of which they failed to disclose to the Auditors and State Comptroller. These breaches occurred both through the Exchange itself, as well as five of its contractors, one of which incurred 14 data breaches. The audit noted that the Exchange is statutorily required to notify both the Auditors and State Comptroller of any security breaches, to which the Exchange pleaded ignorance.

“The exchange was not aware of the breach of security notification requirements of the General Statutes,” read the audit. “The exchange did not implement sufficient internal controls to prevent breaches of client data.”

The Exchange’s response, recorded in the report, claimed that it “has notified the Audits of Public Accounts and the State Comptroller of any breach of security since 2021, when it became aware of this additional reporting requirement.” Worth noting is the fact that the Exchange’s failure to report data breaches was “previously reported in the last audit report covering the fiscal years 2018 through 2019,” per the audit.

“The Exchange recognizes the importance of strong information security controls especially given the sensitive nature of data the Integrated Eligibility System (IES) processes and stores,” read the Exchange’s response, recorded in the audit. “The Exchange monitors vendor compliance with security requirements and has implemented additional protocols to monitor compliance and improve vendor security practices.”

The audit also discovered a lack of documentation to prove that employees with access to client’s personal information completed criminal background checks. The Exchange maintains a Navigator grant program, which provides grants to companies that help market the Exchange and promote the health plans it offers. The audit found no list of Navigator program employees, who have access to client’s personal information, that had completed criminal background checks.

“We were unable to verify whether any personnel who did not undergo a criminal background check participated in the program,” read the audit. As a result, “there is reduced assurance that the Navigator organizations protected personally identifiable information.”

Senate Republican Leader Stephen Harding and Insurance and Real Estate Committee Ranking Senator Tony Hwang released a joint statement yesterday that called the data breaches “unacceptable.”

“When a government agency has a data breach impacting the people of Connecticut, the public has a right to know. These breaches expose citizens to identity theft, insurance abuse, and fraud,” read their statement. “This is completely unacceptable. We urge officials at the Exchange to seriously reevaluate its operations to ensure adequate protection of data and the transparency of information related to any data breaches.”

Another issue found by the Auditors’ report was the Exchange’s lack of oversight in regards to its enrollment system. The Exchange uses a system called the health insurance exchange eligibility and enrollment system (HIX) to allow prospective clients to determine what insurance they’re eligible for and shop for eligible health plans. The Exchange has customer relations specialists and call center staff that can assist clients with enrollment, and these staff are authorized to provide coverage and eligibility overrides to clients. 

Coverage overrides are described by the Exchange as “changes to the date of enrollment” and eligibility overrides are described as being “for changes to eligibility for various programs.” The audit found that the Exchange failed to track or monitor its staff’s eligibility or coverage overrides, of which there were 23,252 that year, or require supervisor approval for these overrides. 

“A lack of internal controls increases the risk that clients receive improper health insurance coverage or are enrolled in programs they are not eligible for,” read the audit.

The Exchange stated that only a “very limited number of supervisors” at its call center are capable of performing overrides, and that it maintains a quality assurance process that notifies supervisors if a worker incorrectly performed an override, at which time it can be corrected.

Other issues noted by the audit were improperly documented purchases, poor overtime monitoring and an overall lack of compliance with statutory reporting requirements.

In regards to purchasing, the audit found several violations of the Exchange’s credit card policy, which requires monthly expense reports with receipts and requires new vendors to complete W-9 forms when charges exceed $600. It also requires purchase orders for all purchases greater than $600.

The audit found that the exchange had received an equivalent of $1,816,229 in services before their respective purchase orders were approved. It found eight credit card transactions that purchased $15,606 worth of “unallowable goods and services.”

The audit also found: a lack of price quotes for three contracts that totaled $151,080. It also found a lack of purchase orders for six credit card purchases that totaled $11,240, a lack of W-9 forms for six credit card purchases totaling $9,743, a lack of expense forms for six credit card purchases totaling $11,361 dollars and a lack of invoice for a credit card purchase totaling $2,590.

“The exchange has reduced assurance that funding will be available at the time of payment without the proper commitment of funds,” read the audit. “Noncompliance with purchasing policies increases the risk of improper purchases.”

Lack of proper purchase monitoring was also found in the Exchange’s 2018-19 audit. The most recent audit also found that the Exchange paid for $645 worth of unauthorized overtime, and failed to submit its annual and semi-annual investment reports while submitting its annual and three quarterly reports late.

In conclusion the Auditors stated that the Exchange has “a need for improvement in management practices and procedures that we deemed to be reportable.”

Republish This Story

Republish our articles for free, online or in print, under a Creative Commons license.