Minnesota Office of the Legislative Auditor
Financial Audit Division

Menu

 

 

Minnesota Office of the Legislative Auditor Menu

Report Summary
MNsure: An Unauthorized Disclosure of Private Data
Special Review

 

Financial Audit Division Report 13-27 Released November 7, 2013

On September 12, 2013, a MNsure employee e-mailed a document with private data in it to an individual not authorized to see the data. The next day, the Office of the Legislative Auditor learned of the disclosure and initiated a special review. We reached two conclusions based on the following findings:

Conclusions and Findings

The disclosure by a MNsure employee was unintentional; we found no evidence of malicious intent. MNsure responded appropriately after the disclosure occurred.1

  • The unauthorized disclosure of private data occurred when a MNsure employee mistakenly attached a document containing private data to an e-mail. We found no evidence of malicious intent.
  • MNsure responded quickly to the unauthorized exposure of private data and followed the notice requirements of state law.

In developing a certification process for insurance brokers, MNsure officials made decisions that contributed directly to the disclosure of private data.

  • MNsure decided to collect Social Security numbers from insurance brokers although that data was not needed for MNsure to fulfill its responsibilities.
  • MNsure decided to collect personal data, including Social Security numbers, from insurance brokers using e-mail without fully assessing and mitigating the risks involved and without considering a more secure and efficient alternative.
  • MNsure did not adequately secure private data residing on its internal computer network.
  • MNsure assigned few staff to develop the broker certification process.
  • MNsure did not effectively organize the information it collected from brokers.
  • MNsure relied on data security and privacy training that may not have been adequate.

 


1 Our conclusion does not include a judgment on MNsure’s decision to terminate the employee who disclosed private data.

Office of the Legislative Auditor ♦ Room 140, 658 Cedar St., St. Paul, MN 55155