Between November 2020 and February 2021, Vermont Health Connect Has Suffered 10 Data Breaches
At the End of Last Year, the Website Has Been Shut Down to Try to Identify the Issue.
Since December 2020, Vermont Health Connect, a leader in healthcare reform, received multiple complaints from its customers reporting logging in to find someone else’s information on their account.
According to almost 900 pages of public documentation, names, health care plans, annual revenue, birth dates, and other sensitive data were compromised in these data breaches.
At the end of December, the website was closed down in order to try to identify the problem.
Although company representatives say the issues have been fixed, it’s the latest unfortunate accident for a system that has historically been persecuted by security and technical problems.
The data breaches could be even more widespread but unfortunately, Vermont Health Connects’ managers don’t’ know for sure if there are similar breaches that haven’t been announced.
Jon Rajewski, a managing director at the cybersecurity response company Stroz Friedberg stated:
If my data was being stored on a website that was personal, — maybe it contains names or my Social Security number, like my status of insurance… — I would expect that website to secure it and keep it safe. I wouldn’t want someone else to access my personal information.
An investigation shows that between November and December, 75,000 people visited the Vermont Health Connect website for a total of 330,000 page views.
According to Andrea De La Bruere, executive director of the Agency of Human Services, the problem was resolved on February 17 and no other similar issues were announced since.
She added that the breaches did not contravene the Health Insurance Portability and Accountability Act (HIPAA), nor the compromised data was protected health information.
Health Care Advocate Mike Fisher declared:
No matter what the law says technically, whether it’s HIPAA-related or just one’s personal information, it’s really concerning.
It is important that people can access the system, and that it’s risk-free as thousands of users will be logging into Vermont Health Connect in the following weeks to benefit from discounts granted by the American Rescue Plan.
According to VTDigger, the problem first came to light in mid-November when a few Vermont Health Access clients logged in and discovered another user’s personal information. Similar situations took place in November, and afterward on several days in December.
When Department of Vermont Health Access staff members warned about the situation, the staff escalated the tickets to “URGENT.” While the affected Vermont Health Connect users were notified, the data breaches were never made public.
OptumInsights, a national health care tech company that hosts and manages Vermont Health Connect seemed unable to discover the glitch stating that “it is hard to find the root cause of the issue.”
The creation of new accounts was stopped by the organization on December 14, and a week later the website was completely closed down to install a short-term fix, but even though fixes have been made, a similar incident was reported on January 13, 2021.
Darin Prail, agency director of digital services declared:
It’s a very complex interplay of many pieces of software on the back end. The complexity made it challenging to identify the problem, and to fix it without introducing any new issues.
This is not the first time when Vermonters had been allowed to see other users’ private data. Since October 2019, people had logged in to find out another individual’s insurance papers. These unpleasant events were ascribed to human error, not to system breakdown.
Darin Prail declared that it’s a possibility that an employee uploaded documents to the incorrect website.
In spite of the issues, Prail said he and other state officials have been happy with Optum. He also said that glitches are unavoidable and congratulated Optum for its rapidity in handling them.
He concluded by saying that the Agency of Human Services had no plans to cease its contract with the company.