Office of the Legislative Auditor - Financial Audit Division

Report Summary
MNsure: An Unauthorized Disclosure of Private Data
Special Review

 

Financial Audit Division Report 13-27

Released November 7, 2013

---

On September 12, 2013, a MNsure employee e-mailed a document with private data in it to an individual not authorized to see the data. The next day, the Office of the Legislative Auditor learned of the disclosure and initiated a special review. We reached two conclusions based on the following findings:

Conclusions and Findings

The disclosure by a MNsure employee was unintentional; we found no evidence of malicious intent. MNsure responded appropriately after the disclosure occurred.¹

• The unauthorized disclosure of private data occurred when a MNsure employee mistakenly attached a document containing private data to an e-mail. We found no evidence of malicious intent.
• MNsure responded quickly to the unauthorized exposure of private data and followed the notice requirements of state law.

In developing a certification process for insurance brokers, MNsure officials made decisions that contributed directly to the disclosure of private data.

• MNsure decided to collect Social Security numbers from insurance brokers although that data was not needed for MNsure to fulfill its responsibilities.
• MNsure decided to collect personal data, including Social Security numbers, from insurance brokers using e-mail without fully assessing and mitigating the risks involved and without considering a more secure and efficient alternative.
• MNsure did not adequately secure private data residing on its internal computer network.
• MNsure assigned few staff to develop the broker certification process.
• MNsure did not effectively organize the information it collected from brokers.
• MNsure relied on data security and privacy training that may not have been adequate.

 

---

¹ Our conclusion does not include a judgment on MNsure’s decision to terminate the employee who disclosed private data.