Vt. Official Admits Not Telling Truth

Health Site Security Breach Not Revealed in Testimony

Commissioner Mark Larson of the Department of Vermont Health Access testifies at the Statehouse in Montpelier, Vt., on Nov. 5, 2013. Larson is apologizing for not being more forthcoming with a legislative committee when he was explaining the details of a security breach in the system on Nov. 5. In a statement Monday, Nov. 25, 2013, Gov. Peter Shumlin said he was disappointed Larson was “anything less than fully cooperative and transparent,” but he did not believe Larson meant to deceive the committee. Larson was asked if anyone’s information was compromised and he told the committee there had been a breach, but he did not say there had been unauthorized access to information.(AP Photo/Toby Talbot, File)

Commissioner Mark Larson of the Department of Vermont Health Access testifies at the Statehouse in Montpelier, Vt., on Nov. 5, 2013. Larson is apologizing for not being more forthcoming with a legislative committee when he was explaining the details of a security breach in the system on Nov. 5. In a statement Monday, Nov. 25, 2013, Gov. Peter Shumlin said he was disappointed Larson was “anything less than fully cooperative and transparent,” but he did not believe Larson meant to deceive the committee. Larson was asked if anyone’s information was compromised and he told the committee there had been a breach, but he did not say there had been unauthorized access to information.(AP Photo/Toby Talbot, File)

Montpelier — Gov. Peter Shumlin said Monday he is “tremendously disappointed” that his top health care official, Mark Larson, misled lawmakers about a security breach in the state’s online health exchange.

At a House Health Care Committee meeting Nov. 5, Rep. Mary Morrissey, R-Bennington, directly asked Department of Vermont Health Access Commissioner Larson if there had been any security breaches with Vermont Health Connect.

Larson told her there hadn’t been, failing to disclose an incident Oct. 17 in which one user was able to access another user’s social security information.

The Associated Press first reported that incident — and the fact that Larson had glossed over it — in a story published Friday.

Shumlin, who said he first learned of Larson’s blunder “by reading about it in the press,” issued a harshly worded reprimand Monday morning. (Shumlin had been briefed about the actual security breach shortly after it happened,)

“It is unacceptable to be anything less than fully cooperative and transparent with Vermonters and their elected representatives in the Legislature. I am tremendously disappointed in Commissioner Larson’s lapse of judgment in this matter,” Shumlin said in a statement.

The governor, who has touted his administration’s transparency, pledged that his administration wouldn’t withhold information in the future.

“The legislators in Montpelier represent the Vermonters we are all elected to serve, and they have a right to have their questions answered fully. That did not happen in this case, and I have made clear to Mark and other members of my administration that it must never happen again.”

The governor gave a gentler reproach during an unrelated news conference Monday. He said he continues to have “absolute confidence” in the commissioner and has no plans to fire him.

“It’s a small state,” Shumline said. “We all know that people make mistakes. We all know Mark Larson well. I never asked him to do anything except to continue to do the work he’s doing to get Vermont Health Connect working properly.”

And Shumlin defended his entire Cabinet’s candor during the rollout of Vermont Health Connect.

“I think that Commissioner Larson and I and the entire team have been candid with all the information we have,” he said. “We tell you the information when we get it.”

Asked if his administration will inform the public of any future security breaches, Shumlin responded, “Absolutely.”

Two days after Gram’s story, Larson sent an apology letter to the House Health Care Committee, acknowledging that he had not been candid about the incident. Larson said, above all, he’s worried his mistake would sow “unnecessary doubts” about the security of Vermont Health Connect.

House Speaker Shap Smith said Larson’s misstep might have cost him his credibility in the Legislature.

“I have spoken with Commissioner Larson and Gov. Shumlin and have shared with them my view that a breach such as this will undermine Commissioner Larson’s ability to be an effective representative for the administration in the Legislature,” Smith said. “It is now incumbent on Commissioner Larson to work to rebuild the trust he once had with his legislative colleagues.”

House Health Care Committee Chairman Rep. Mike Fisher, D-Lincoln, said, “He obviously did not answer a specific question accurately to the Health Care Committee, and that’s a really big deal.”

But like Larson, Fisher said his greatest concern is that the incident will stir up unfounded concerns about the exchange’s security that will deter people from using the website to sign up for insurance.

Shumlin and Larson have emphasized that the Oct. 17 incident, in which one user was able to access another user’s personal information, stemmed from an internal error and was not the result of external hacking. The administration filed a report, as required, to the Center for Medicaid and Medicare Systems (CMS) and Shumlin and Larson say the problem has been fixed and no other incidents have occurred.

“It wasn’t the kind of security breach that frankly CMS and we would be really concerned about in terms of people trying to manipulate the system and get information that wasn’t theirs,” Shumlin said.

The breach — technically classified as an “unintended electronic disclosure” — came to light in an unusual way.

According to the CMS report filed by the state, a user received an anonymous piece of mail that contained their application for health insurance, social security number included, along with a hand-written message that read, “VERMONT HEALTH CONNECT IS NOT A SECURE WEBSITE.”

State officials reported that they “investigated immediately and determined that two accounts were linked via a recycled username and it was possible for a brief period of time that the two username holders could access the same information.”

For the first time, officials provided more details about the cause of the delay in setting up the payment function of the exchange: security concerns. The state is “triple checking” to ensure people’s credit card information is secure before launching that piece of the system, Shumlin said.

Morrissey said she had heard concerns from a navigator group, which prompted her to ask Larson about the security of the exchange on Nov. 5. The commissioner’s response, she said, marked a “real breach in transparency and accountability.”

Morrissey characterized Larson’s sidestepping of her question as part of a trend — she pointed out that one of her fellow committee members, Rep. Chris Pearson, P-Burlington, had criticized the commissioner at the same Nov. 5 meeting for “sugarcoating” earlier problems with Vermont Health Connect.