Public Summary Report: Information Technology Control Weaknesses Found at the Minnesota Health Insurance Exchange
The Minnesota's Health Insurance Marketplace (MNsure) had implemented security controls, policies, and procedures intended to prevent vulnerabilities in its Web applications (Web site), database, and other supporting information systems. However, it did not always comply with Federal and State information technology requirements when it implemented those security controls, policies, and procedures, which increased MNsure's risk that personally identifiable information (PII) could have been exposed. We conducted tests of MNsure's Web site, database, and supporting information systems and found weaknesses in MNsure systems. Although we did not identify evidence that the vulnerabilities had been exploited, exploitation could have resulted in unauthorized access to and disclosure of PII, as well as disruption of critical marketplace operations. The vulnerabilities were collectively and, in some cases, individually significant and could have potentially compromised the integrity of the marketplace.
We recommended that MNsure implement necessary corrective actions to address the specific security vulnerabilities that we identified during this audit. Because of the sensitive nature of our findings, we have not listed the detailed recommendations in this summary report.
Filed under: Centers for Medicare and Medicaid Services