Health Connect Security Flaws Were Fixed More Than A Year Ago, State Says

Apr 8, 2016

According to a federal report, Vermont is one of three states that have experienced security problems with their health care exchanges. But the Shumlin Administration says these problems were fixed more than a year ago.

The report was conducted by the Government Accountability Office and covers the period from October 2013 to March of 2015. It was released last month but the GAO study didn't include the names of the states that had flaws in their security software programs.

The states were identified this week after the Associated Press filed a Freedom of Information Act request. The three states are California, Kentucky and Vermont.

Lawrence Miller, the health care chief for the Shumlin Administration, says the vulnerabilities were identified and fixed in 2014.

“We identified all those risks and either remediated them – that is, fixed them – or managed them – that is, control them in other ways,” Miller says.

Miller notes that Vermont Health Connect changed vendors just after the timeframe of the GAO study, and he says all of the outstanding security issues were resolved at that time.

"This reflects a point in time long ago, and these issues are not present in the current system,” Miller says.

"This reflects a point in time long ago, and these issues are not present in the current system." - Lawrence Miller, health care chief

Lt. Governor Phil Scott, a longtime critic of Vermont Health Connect, says the breaches were just one of a series of ongoing problems with the exchange, and he favors moving to the federal system.

“It's obvious to me that the problems are too prevalent and they're not getting resolved,” Scott says. “So we need to restore the faith and trust of Vermonters and point us in a new direction." 

But Miller points out that the GAO study also found security problems with the federal exchange, and says there has never been a malicious security breach at Vermont Health Connect.