Auditors Report Lack of Competitive Bidding, Data Breaches at State Health Insurance Exchange


TwitterFacebookCopy LinkPrintEmail

The Connecticut Health Insurance Exchange is using an “extremely broad” procurement policy, which has enabled it to award millions of dollars worth of contracts without a competitive bidding process, state auditors reported on Tuesday.

The auditors also found breaches of client information that were not reported to the auditors, despite a state law requiring the exchange to report them when they occur.

It was the second audit in two years to point out that the quasi-public agency that operates the Access Health CT health insurance exchange was forgoing a competitive bidding process on a high proportion of its contracts. 

Auditors reported last year that between July 2015 and June 2017, the exchange awarded 65 contracts worth $36 million – of which 18 contracts worth $11.9 million were awarded as “sole source” without a competitive bidding process.

In their report released on Tuesday, which covers July 2017 through June 2019, the auditors said the exchange awarded 158 contracts worth $25.9 million. Auditor John Geragosian said they don’t know the total amount of those contracts that were sole-source, but of 10 contracts worth $2.12 million from that period, four contracts worth $1.13 million were found to be sole-source.

In response to last year’s audit report, the health insurance exchange responded only that it established its procurement policies in line with state statute, and that it followed those policies. Auditors agreed that the exchange had fulfilled those requirements, but also said those policies were broad and required only that the CEO of the exchange determine that awarding a contract without a competitive bidding process is “appropriate and in the best interest of the Exchange.”

In response to this year’s audit report that repeated last year’s findings, the exchange said its board of directors will review the policy at an upcoming meeting and decide whether to revise the policy. 

The exchange is not the only quasi-public agency that has been criticized for having an overly broad procurement policy that allows it to side-step the bidding process. 

In a recent report reviewing contracting at the quasi-public Connecticut Port Authority, the State Contracting Standards Board criticized the authority’s procurement policy for allowing its executive director to skip the bidding process for contracts under $50,000, or when the executive director determines a competitive bid isn’t possible.

Like the exchange, Port Authority leadership said they were willing to review those procedures and any concrete suggestions on how to improve them. 

But the Contracting Standards Board said in its report that it was a common issue for quasi-public agencies with limited resources, and that the state needed a central procurement organization to support them.

“They’ve been forced to perform these critical tasks with limited resources and without appropriate access to procurement professionals,” board member Burce Buff said while presenting the report in February. 

Lack of internal controls leads to data breaches

The auditors also found that the exchange wasn’t reporting information that it was legally required to disclose, including 44 separate breaches of client information between 2017 and 2021 – with one phishing scam that affected 1,100 clients.

The auditors found the exchange lacked sufficient internal controls for ensuring contractors complied with its privacy and security standards, and for preventing breaches of client data, Geragosian said. One contractor was responsible for 34 of those breaches, according to the auditors.

In 2018, breaches of personal information held by state agencies that were identified in audit reports led lawmakers to follow a recommendation from the state Auditors of Public Accounts to require agencies to report any breaches to both the auditors and the Office of Consumer Counsel.

The exchange told auditors that it had not been reporting the breaches because it wasn’t aware of the law change. Since auditors informed the exchange of the requirement during the audit process last year, it has started reporting data breaches, Geragosian said.

The exchange reported multiple cases where a representative at the exchange’s call center – which is run by a contractor, Faneuil – mistakenly gave one customer access to another customer’s account.

In separate cases reported to auditors in January, September and November 2021, and January 2022, a customer asked to have their online account linked to their application, and the representative at the exchange’s call center linked the wrong customer’s application, allowing the customer to see another customer’s account and personal information, according to the reports. 

In both cases, the customer called the center again and informed them that they could see the other person’s information, and their accounts were unlinked, according to the reports. In the report from the January incident, the exchange said the customer whose account was mistakenly linked to the others would be notified and offered identity theft and credit monitoring for two years.

“[The exchange] has no reason to believe the information will be misused,” the report said.

The exchange told the auditors that it would comply with the reporting requirements and is putting in place more protocols to monitor its contractors to make sure they comply with privacy and security standards.