Employee Held Responsible for State Health Exchange Breach on Leave

The employee believed to be responsible for a backpack full of confidential documents from Connecticut's health insurance marketplace found lying in the street in Hartford has been placed on administrative leave, Access Health officials said Sunday.

On Monday, House Republican Leader Larry Cafero called the incident an “appalling lack of oversight.’’  

According to Access Health, the person held responsible is an employee of a company called Maximus, the call vendor for the health care exchange.

A release from Access Health CT, the state-run exchange created in the wake of the 2010 health care overhaul, said the employee came forward after seeing a news report on the backpack on Friday night.

The backpack, found outside the Access Health office on Trumbull Street in Hartford on Friday, contained four notepads with handwritten names and birth dates of about 400 people, along with the Social Security numbers for 151 people, Access Health CT Chief Marketing Officer Jason Madrak said over the weekend.

Such notes can be used to help customers navigate the enrollment process, Madrak explained in the news release.

The employee had been at a deli on Thursday, said he left around 4:30 p.m. on Thursday and thought he had his backpack when his ride picked him up, officials from Maximus said.

The employee checked with the person who gave him a ride home when he realized that he did not have it. On Friday. he looked for it when he got to work and still could not find it, according to Maximus. 

Somehow, the backpack wound up with House Republicans and a staff member contacted the administrator of Access Health CT, according to Cafero.

The Maximus employee came forward after seeing a news report on the backpack on Friday night.

“It strikes me as odd that someone felt compelled to compile the data into a notebook and take it from the intake offices,’’ Cafero said in a statement.

Hartford police said Friday they were investigating to determine whether a security breach had occurred.

Access Health officials are contacting the individuals whose personal information may have been compromised.

The owner of the backpack is on administrative leave and “has had all system access privileges revoked,” according to Madrak.

Officials from Maximus said there is no reason to believe the information was used for fraudulent purposes. The employee responsible is remorseful, passed a background check and went through security training. 

There is a shredder onsite and employees are supposed to shred any personal information and not take it home.

The company is in the process of moving toward a "paperless office," so this does not happen again.

“While we are still working to understand exactly why this person took the information out of the building, based on what we have learned so far it does not appear there was malfeasance on the part of this person,” Madrak said in the release.

Representatives from the health care exchange said individuals whose names were on the notepads will be offered free credit monitoring, fraud resolution, identity theft insurance and credit report security freezes.

“We are sorry this happened, and we are working to rectify as quickly as possible, as well as doing whatever is necessary to prevent it from happening again,” Madrak said in a statement.

“This disturbing development highlights the concerns we raised three months ago during a hearing that we were afraid something like this might happen,’’ Cafero said in a statement. “We were told by Access Health CT overseers that our proposals for background checks and other safeguards were not needed, that the security situation was in hand. Clearly, that was not the case.’’

Contact Us