Skip Navigation
United States Flag

An official website of the United States government. Here's how you know >

A New Look for HHS-OIG. Learn More >>

U.S. Flag An official website of the United States government.
Change Font Size

Public Summary Report: Information Technology Control Weaknesses Found at the Minnesota Health Insurance Exchange

The Minnesota's Health Insurance Marketplace (MNsure) had implemented security controls, policies, and procedures intended to prevent vulnerabilities in its Web applications (Web site), database, and other supporting information systems. However, it did not always comply with Federal and State information technology requirements when it implemented those security controls, policies, and procedures, which increased MNsure's risk that personally identifiable information (PII) could have been exposed. We conducted tests of MNsure's Web site, database, and supporting information systems and found weaknesses in MNsure systems. Although we did not identify evidence that the vulnerabilities had been exploited, exploitation could have resulted in unauthorized access to and disclosure of PII, as well as disruption of critical marketplace operations. The vulnerabilities were collectively and, in some cases, individually significant and could have potentially compromised the integrity of the marketplace.

We recommended that MNsure implement necessary corrective actions to address the specific security vulnerabilities that we identified during this audit. Because of the sensitive nature of our findings, we have not listed the detailed recommendations in this summary report.

Copies can also be obtained by contacting the Office of Public Affairs at

Download the complete report.

Office of Inspector General, U.S. Department of Health and Human Services | 330 Independence Avenue, SW, Washington, DC 20201