State officials say a newly disclosed security breach involving Vermont Health Connect has not jeopardized the personal data of consumers. But a critic of the new health insurance website isn’t convinced the incident was so benign. And this latest episode promises to spark yet another political dustup over the massive reform initiative.
State officials don’t know who broke into the system, or what they wanted. But from an Internet address that was later traced to Romania, the attacker in December made his way undetected into a server located in Phoenix, Ariz.
“In lay terms what that means is we had a user log in from overseas who didn’t have appropriate rights and access to the system but was able to access the system,” says Richard Boes, commissioner of the Vermont Department of Information and Innovation.
The server was owned by CGI, the technology firm hired by the state to construct Vermont Health Connect. And Boes says the equipment was part of a “development environment” used to test components of the exchange.
The development environment, according to Boes, is an entirely different virtual territory than the “live environment,” where the digital machinery of Vermont Health Connect is actually run.
Boes says a rigorous internal probe by both CGI and state security experts has shown that the personal data of Vermonters was never at risk. Lawrence Miller, the Shumlin Administration appointee brought in in January to help resolve the troubled rollout of Vermont Health Connect, says there’s no reason to believe that hackers gained access to the “live environment," the computers where customer information is stored.
“We, the state, looked at it as being a relatively modest incident,” Miller says. “It didn’t challenge any of the security structures that were set up around the normal system. It was somebody coming in through an unlocked front door.”
But Republican Randy Brock is skeptical. The former state auditor unsuccessfully tried to unseat Gov. Peter Shumlin in 2012. Since then, Brock, aided by intelligence being funneled to him by an inside source working at Vermont Health Connect, has used the state’s open records law to make public incidents that he says provide evidence of mismanagement and incompetence in the rollout of the exchange.
Brock’s work has fueled media scrutiny of everything from missed deadlines by CGI to the inadvertent disclosure of consumers’ personal data.
A public records request filed by Brock last week made it clear he was on to the security breach. The administration says it’s disclosing the incident now to get in front of the news, and prevent Vermonters from losing confidence in the insurance website.
“This is an issue that we feel was evaluated, put to rest through the proper channels,” Miller says. “And now some people are questioning whether or not there’s some sort of cover up or conspiracy about whether or not this was a more significant breach.”
Brock says his worries about Vermont consumers’ security aren’t assuaged by the assurances from Miller and Boes. Brock doesn’t dispute that the development environment did not contain sensitive data. But he says a skilled hacker could manipulate software being tested in the development zone, then exploit those “backdoors” when the components are later incorporated into the live environment.
“The development environment is the place where software is developed, and so it immediately raises the question of: 'could there be any manipulation in code?'” Brock says. “Could someone have made an alteration, put in a back door, do some of the really evil things that hackers do. Is there an assurance that that hasn’t happened, and has anybody looked at that to be able to provide that degree of assurance? I don’t know this. The public doesn’t do this.”
Boes says Brock’s concerns are without merit.
“It’s not a legitimate concern because nothing from this environment goes directly into the live environment,” Boes says. “This is not a software development box – no software development is done. This is a box they use to test various different procedures.”
The state wasn’t at all pleased with CGI when news of the breach was revealed by the tech firm on Jan. 23. In emails with officials at CGI, Nick Waringa, the state's chief information security officer, asks if data transmitted to the compromised server can be “vetted to be sure unequivocally that no … sensitive data was at risk,” and that there was no “potential internal compromise.”
Waringa told CGI officials that the incident underscores the need to establish “an appropriate incident response plan that involves (a) well documented and distributed end to end process.” And he says that the “lack of available CGI security resource on Fridays and Mondays is troubling.”
Waringa says “surprises” like the security breach “are exactly the type of thing that makes the case for a penetration test/(vulnerability) assessment on the entire public infrastructure.”
Brock says the administration should consider disclosing breaches to Vermonters when they occur, instead of accusing him of political gamesmanship when he exposes them.
“The intrusion by a hacker into a development environment involving Vermont Health Connect would be something that Vermonters might at least want to know about,” Brock says. “Why does the administration say nothing about it until someone effectively catches them at it?”
Miller says half-truths from Brock’s inside source have helped spawn news stories that damage the credibility of the exchange. Information from Brock’s leak led to the eyebrow-raising revelation in a story published by Newsweek earlier this year about the falsification of website demonstrations by CGI officials. According to the source, CGI was seeking to mislead the state into thinking the exchange was on track for a successful launch.
Administration officials and CGI have flatly denied the accusation, and have since provided documents they say prove the demonstration was real. With the incident involving the security breach, Miller says Brock aims to make a political mountain out of a privacy molehill.
Miller says he’s especially concerned about the timing of the release of the information – the open enrollment deadline comes on March 31, and the state is hoping to see thousands of new customers sign up for insurance in the next two and a half weeks.
“We’re in the middle of critical period with the end of open enrollment, and I’m very concerned that Vermonters have the appropriate level of confidence in the system and feel comfortable coming into Vermont Health Connect,” Miller says. “Having things like this spun up from a grain of truth to massive implications that affect people’s confidence is unfair to Vermonters who need coverage.”
The administration is also looking to spare Commissioner of Vermont Health Access Mark Larson from another public embarrassment involving failure to disclose information to lawmakers. Larson was chided publicly by Shumlin and top legislative leaders last November for what they said was a misleading answer to lawmakers about the existence of privacy breaches on the exchange.
During recent testimony before the House Committee on Health Care, Larson was asked by Republican Rep. Mary Morrissey whether Vermont Health Connect had suffered any external breaches. He said it had not. But this time, Miller says, Larson is innocent.
Miller and Boes both say that at the time he was asked, Larson had no knowledge of what had occurred in December. They say information about the breach flowed from CGI to the Department of Information and Innovation – as per security protocols. The information then made its way up the chain at DII to Boes, who sent news of the situation to Secretary of Administration Jeb Spaulding.
Because it didn’t affect functionality at Vermont Health Connect, Miller says the information never made its way to Larson.
“Because it didn’t involve the Vermont Health Connect system nothing went up to Mark Larson,” Miller says. “It just wasn’t even considered an impact on the Vermont Health Connect system.”
Larson is due to testify before the committee again Tuesday morning. Boes says he’ll appear in committee to talk about the breach in the near future.
Brock says he’s considering another run for governor, but has not decided yet one way or another.