MONTPELIER — Department of Vermont Health Access Commissioner Mark Larson unequivocally denied any security breaches within Vermont Health Connect to lawmakers earlier this month, information that was contrary to what he apparently knew at the time of his testimony before the House Health Care Committee.
Larson penned a letter of apology over the discrepancy to the committee’s chairman on Sunday, which was made public by the Shumlin administration on Monday.
Larson was peppered with questions by Republican Rep. Mary Morrissey during a Nov. 5 hearing about Vermont Health Connect, the state’s version of the online health insurance marketplaces required under the federal Affordable Care Act. Morrissey was inquiring about security concerns with the website.
The Bennington Republican said she had heard of security breaches and asked Larson if any users’ personal information had been accessed in an unauthorized way.
Larson responded unequivocally that no security breaches had occurred.
“We have no situations where somebody’s private information has been breached,” he said. “We have looked into and we have found no situation where somebody’s private information has been breached.”
Seemingly unconvinced, Morrissey tried again: “There has been none?” she
“Yes. We have done the appropriate investigation of each case. We’ve identified … we have investigated each one. We have followed our appropriate privacy and security procedures,” Larson responded.
In his apology letter, Larson acknowledged in his response to those questions his failure to include information about one particular case, first reported on Friday by the Associated Press.
“During the November 5th committee hearing, I was asked about whether any security failures had occurred in Vermont Health Connect. I responded that no situation had occurred where somebody’s private information had been breached. I then attempted to clarify that we had investigated all reports and followed appropriate procedures. I should have instead also included in my response the facts of this single incident, and am sorry that my statements to the committee did not do so,” Larson wrote.
The AP reported Friday that Larson’s department knew of a security breach about three weeks before his testimony to the House Health Care Committee. His office had notified the federal Centers for Medicare and Medicaid Services about an incident in which the social security number of one person using Vermont Health Connect was inadvertently supplied to another user on the system.
Gov. Peter Shumlin, who spoke with reporters Monday at an unrelated event, said the breach was the result of two users with similar user names.
“One of them got the other one’s information and alerted us to that fact. It was not an external security breach where people can go in and see other people’s information,” Shumlin said.
The governor said he became aware of Larson’s testimony “in the last couple of days by reading about it in the press.” Despite Larson’s “lapse in judgment,” Shumlin said the commissioner maintains his full support.
“I have absolute confidence in Commissioner Larson. He’s under tremendous pressure. They all are at Vermont Health Connect. He’s doing an extraordinary job there, working long hours, seven days a week. They’ll continue to get that website right and get good results,” Shumlin said.
The governor said he did not at any point consider asking Larson to resign his post.
“It’s as simple as this: We all make mistakes. None of us are immune to making mistakes. Commissioner Larson has acknowledged he made a mistake. He viewed the question, differently than, I think, objectively, many of us would have. I take Mark at his word that he made a mistake. We’re all capable of them. I make them, too. We go forward from here,” Shumlin said.
Read tomorrow’s editions of The Times Argus and Rutland Herald for full coverage of this story by Dave Gram, the Associated Press reporter who broke news of the security breach last Friday.