MNsure: An Unauthorized Disclosure of Private Data
Financial Audit Division Report 13-27
Released November 7, 2013
On September 12, 2013, a MNsure employee e-mailed a document with private data in it to an individual not authorized to see the data. The next day, the Office of the Legislative Auditor learned of the disclosure and initiated a special review. We reached two conclusions based on the following findings:
Conclusions and Findings
The disclosure by a MNsure employee was unintentional; we found no evidence of malicious intent. MNsure responded appropriately after the disclosure occurred.1
- The unauthorized disclosure of private data occurred when a MNsure employee mistakenly attached a document containing private data to an e-mail. We found no evidence of malicious intent.
- MNsure responded quickly to the unauthorized exposure of private data and followed the notice requirements of state law.
In developing a certification process for insurance brokers, MNsure officials made decisions that contributed directly to the disclosure of private data.
- MNsure decided to collect Social Security numbers from insurance brokers although that data was not needed for MNsure to fulfill its responsibilities.
- MNsure decided to collect personal data, including Social Security numbers, from insurance brokers using e-mail without fully assessing and mitigating the risks involved and without considering a more secure and efficient alternative.
- MNsure did not adequately secure private data residing on its internal computer network.
- MNsure assigned few staff to develop the broker certification process.
- MNsure did not effectively organize the information it collected from brokers.
- MNsure relied on data security and privacy training that may not have been adequate.
1 Our conclusion does not include a judgment on MNsure’s decision to terminate the employee who disclosed private data.