Vermont Business Magazine In an Associated Press story published Thursday night, the US Government Accountability Office "found significant cybersecurity weaknesses in the health insurance websites of California, Kentucky and Vermont that could enable hackers to get their hands on sensitive personal information about hundreds of thousands of people." In the story related to a report issued by the GAO last summer, Vermont health care reform chief Lawrence Miller is quoted as saying that Vermont has since changed vendors and the state has "ensured correct controls were in place" to meet a federal standard. That did not keep Lieutenant Governor Phil Scott from issuing a blistering response late Thursday.
Lawrence Miller, with Governor Shumlin, discussed the status of Vermont Health Connect at a press conference in June 2015. VBM photo.
“Enough is enough," Scott said. “Once again we are learning of another problem with Vermont Health Connect, and once again we are finding out from a national news agency rather than our own Administration. Just one day ago the Administration was updating legislators on the ongoing issues with 1095-A tax forms, without mentioning potential security vulnerabilities.
“The Associated Press did Vermonters a great service by shining a light on the issues we weren’t aware still existed; after all, we were told everything was good and getting better. This article proves that the Administration is not only gambling with Vermonters’ access to affordable health care, but also with their most personal information. And this isn’t the first time.
|
Associated Press article, “Security flaws found in 3 state health insurance websites” FRANKFORT, Ky. (AP) — Federal investigators found significant cybersecurity weaknesses in the health insurance websites of California, Kentucky and Vermont that could enable hackers to get their hands on sensitive personal information about hundreds of thousands of people, The Associated Press has learned. And some of those flaws have yet to be fixed. The vulnerabilities were discovered by the Government Accountability Office, the investigative arm of Congress, and shared with state officials last September. Vermont authorities would not discuss the findings, but officials in California and Kentucky said this week that there was no evidence hackers succeeded in stealing anything. |
· October 2013 — First security breach, where a customer's Social Security information and other data was compromised
· Late 2013 — “Privacy Breach" of personal information due to human error
· December 2013 — Second security breach, where a Romanian attacker hacked the system 15 times and went undetected for a month
· September 2014 — Federal government shuts down Vermont Health Connect due to inability to meet security requirements
· April 2015 — Auditor Doug Hoffer's first audit identifies security issues, including 70 moderate security weaknesses, 91 percent of which the State had known about for 13 months
· November 2015 — Outside audit by a Virginia firm highlights concerns over security protocols
· November 2015 — Auditor Hoffer's supplemental audit identifies 121 security weaknesses, three of which were "high risk" and 63 of which were "moderate-risk"
“Vermonters deserve better than this. Our health, personal finances and sense of security have been violated and decisive action is long overdue. There is no shame in saying: “We tried, but we couldn’t do it.” The shame is in continuing down the same road, throwing good money after bad, and putting even more Vermonters at risk.
“I cannot, in good conscience, support continued efforts to consider whether or not Vermont Health Connect is functional, because we know it isn’t. I, and my fellow Vermonters, have run out of patience, and lost any faith and trust we might have had.
“As a public servant, I'm angry. As a small-business owner, I'm frustrated. As a Vermonter, I feel deceived. And I know I’m not alone.“
Scott is also a Republican candidate for governor.