MONTPELIER — A state official revealed a second privacy breach Tuesday involving users on the state’s online health exchange but said the minor incident was caused by human error and did not involve a technology breakdown.
Mark Larson, commissioner of the Department of Vermont Health Access, told the Health Care Oversight Committee Tuesday of the “privacy incident,” but said there was no “security breach.” Rather, a Vermont Health Connect representative made a human error, he said.
“This incident was isolated to two unique Vermont Health Connect users. It was a result of manual human customer service error and there was not a risk to other Vermont Health Connect users,” Larson said. “The issue has been investigated by Vermont Health Connect. We have made the appropriate reporting to CMS as we did in the other incident that was discussed prior.”
The privacy breach did not involve any outside intrusion into secure parts of the website or any type of hacking, Larson said.
The disclosure for the weekend incident was in stark contract to a first security breach revealed in November. Larson, when asked directly at a Nov. 5 House Health Care Committee hearing about security lapses, said no private information had been breached.
However, a records request made by the Associated Press revealed the department knew of a security breach about three weeks before Larson’s testimony to the House Health Care Committee. Larson’s vague answers to the committee earned a rare public rebuke from Gov. Peter Shumlin and House Speaker Shap Smith.
According to Larson, in the weekend incident a user called VHC to modify an application. The customer service representative attached information from another user with the exact same name to the caller’s file, he said.
Check the Wednesday editions of the Herald and Times Argus for the full story.