An audit of the Maryland health insurance exchange found, among the exchange's many problems, inadequate data security and control.
Carried out by the state Office of Legislative Audits, the review covered information for the Maryland Health Benefit Exchange (MHBE) between June 1, 2011, and July 23, 2014.
It found that personally identifiable information was not properly safeguarded, the MHBE network was not effectively secured, administrative access was excessive and not controlled, and assurance was lacking that critical data on contractor servers was secured.
Maryland's exchange crashed when it launched in 2013 and suffered ongoing technical problems, including a glitch that left up to 5,000 people thinking they were fully enrolled even though they weren't.
After spending $209 million, it cut ties with the initial contractor in February 2014, but decided to leave equipment containing enrollment data from the original exchange system at a data center owned by the contractor's parent company pending resolution of litigation.
A replacement exchange system was implemented in November 2014. The audit criticizes MHBE for failing to ensure personally identifiable information and federal tax information was secured while still with the original vendor or on the replacement system, and that user access to the replacement exchange system network, application files and servers was properly restricted.
Noridian Healthcare Services agreed to repay $45 million to settle claims that it mishandled its duties in setting up the original exchange.
Amid ongoing problems, state lawmakers considered switching to the federal exchange, but ultimately decided to switch to Connecticut's successful technology platform.
Meanwhile, the Department of Health and Human Services' Office of the Inspector General has slammed the federal government for storing the personal information of millions of insurance marketplace customers in a massive data warehouse with basic security flaws.
To learn more:
- read the audit report (.pdf)