HARTFORD — The backpack containing a note pad with names, birth dates and Social Security numbers of Access Health CT customers was left Thursday outside a downtown deli and found by a man who turned it into his state legislator’s office Friday morning, authorities said Monday as new details continued to emerge about the case.
City police said fraud detectives were investigating the security breach in cooperation with federal resources.
The backpack contained information on more than 400 customers of Access Health CT, the state health exchange created by the Affordable Care Act, or Obamacare.
An employee of Maximus, the exchange’s call-center vendor, left work at some point Thursday and went to New York Deli & More, 240 Trumbull St., where he apparently left the backpack outside, officials with both Maximus and Access Health CT said at a press conference Monday.
Inside the backpack was a note pad with names of 413 people, corresponding Social Security numbers for 151 of those, and an undisclosed number of birth dates, Access Health CT’s marketing chief, Jason Madrak, said at a media conference Monday.
The Maximus employee left the deli around 4:30 p.m. Thursday, said Ilene Baylinson, president of the Eastern Region for Maximus. The employee got a ride home from a friend.
Sometime before the deli closed at 7 p.m., a man brought the backpack into the deli and asked if they wanted to hold onto it, Alex Aldali, who works at the deli, said in an interview at the store Monday. The owner of the deli wanted nothing to do with the backpack, Aldali said, so the man who brought it into the store left with it.
On Friday morning, House Republicans got a call from a man who wanted to turn in the backpack, said Pat O’Neil, a House Republicans spokesman. The call was relayed from the switchboard to the office of state Rep. Jay Case, R-Winchester, because the caller lives in Case’s district. Case was not there, however.
A staffer at Case’s office took the call and received the backpack that morning, O’Neil said.
“At that point, we contacted Kevin Counihan directly, and he said, ‘Oh, OK,’” O’Neil said, referring to the CEO of Access Health CT. An employee at Access Health CT went to the Legislative Office Building to retrieve the backpack and the information.
Friday afternoon, Access Health CT sent out an advisory about a possible security breach.
A representative at Maximus said Monday that it is “reinforcing” its policies in the aftermath of the security breach.
“The bottom line is that one of our team members made a mistake,” Baylinson said. “He violated our corporate policies and procedures for handling personal data. Removing any personal data from our offices and facilities is strictly prohibited and this individual is now on administrative leave.”
Baylinson added that the administrative leave will last until the police investigation is complete. The Maximus employee is “deeply sorry and has been fully cooperative with the investigation, and based upon what we know today, we have no reason to believe that any of this information was used for fraudulent purposes.”
Maximus’ standard procedure for hiring people includes a criminal background check.
“This individual is extremely remorseful and very upset about the situation. He is one of our better employees,” Baylinson said.
The Maximus employee tried to find the backpack by calling the person who drove him home Thursday and by looking for it at the Access Health CT office where he works on Friday morning, Baylinson said. He worked for a short time Friday morning, and came forward after hearing about the backpack on the news.
Attorney General George Jepsen’s office is looking into the matter.
“The attorney general takes matters of privacy and data security seriously,” Jepsen spokesman Robert S. Blanchard said in a statement. “Consistent with our practice in past breaches by other custodians of personal information, we reached out on Friday to Access Health CT regarding the incident and its plans to protect those potentially affected. We expect those discussions to continue as we seek to ensure that Connecticut residents’ privacy and personal information is protected. In particular, the office is seeking to determine how this incident occurred, what security procedures and policies were in place before the incident, and what is being done to reduce the risk of future breaches occurring.”
For the whole article, click here.