Vermont discloses data breach on healthcare exchange website

Vermont Health Connect issues report after victim whose records were exposed reports problem

Despite warnings and concerns over the fact that websites used to manage the nation's healthcare exchange programs are at risk, and none more so than, one them is already dealing with the fallout from a data breach. According to reports, Vermont has disclosed a data breach linked to their healthcare domain, after the victim whose records were exposed reported the problem.

[ was granted a waiver to launch despite high levels of risk]

Vermont Health Connect, the healthcare exchange that opened on October 1 under the Affordable Care Act, managed by the state itself, issued a report to federal officials that described the breach, which occurred on October 17. According to the report, obtained by the Associated Press, the state was notified about the breach after one of the victims sent them a letter.

The person who reported the problem wasn't named in the report. However, Greg Needle, the privacy administrator with Vermont Health Connect, confirmed that this person's Social Security Number, as well as information submitted to the exchange during the application process, was obtained by an unauthorized party. In a letter sent to the Centers for Medicare and Medicaid Services (CMS) by Needle, the person learned about the breach due to an anonymous letter.

The letter itself was a copy of the unnamed person's application, along with a message written on the last page of the application and the back of the envelope that said, "VERMONT HEALTH CONNECT IS NOT A SECURE WEBSITE!"

While the report to CMS outlines a single example, which is only known because the person impacted reported it on their own, there is no way to tell if others received the same anonymous warning. On the Vermont Health Connect website, there is no mention of the incident.

In a statement, Mark Larson, the commissioner of the Department of Vermont Health Access, said the incident was "one case and it was responded to appropriately," adding that the "unique circumstances" that led to the breach cannot be repeated due to his department's efforts.

Only 16 other states outside of Vermont manage their own portals for the Affordable Care Act, all others use When asked his thoughts about this latest incident, Dave Kennedy, the CEO of TrustedSec LLC, and one of the people who recently testified during a hearing by the House of Representatives Science, Space and Technology Committee about the high-levels of risk on, thinks this is just the beginning.

[ will eventually be functional, but how secure?]

"I think we will see a lot of exposures and breaches occur on both the state and federal level. is only the start, there are a number of states that built their own state exchanges [and] the technology between them is completely different per state in most cases," he told CSO in an interview.

For example, he noted, some of the state-managed healthcare exchanges are custom coded using PHP, while others use a CMS such as SharePoint (or Drupal). Many of these platforms have known exposures on them already, such as cross-site scripting, open redirects, and others. "I think there's some serious concern here," he said.

As to the questionable method of disclosure, for those attempting to help by exposing the security flaws on a given healthcare website, anonymous letters are not the way to go. However, Kennedy said, for those who lean towards full and open disclosure, or worse criminals out for outright data theft, the moral stance of ethical and responsible vulnerability reporting means very little to them.

"We should be cautious and contact notified parties in a responsible and ethical manner. This isn't always going to be the case for individuals that lean more towards open disclosure or worse, stealing the information for online theft," Kennedy explained.

In the end, Vermont's security problems are likely just the beginning. Information is a valuable commodity to criminals, and repositories like this are painted targets.

"These exchanges will have a vast amount of information about individuals within the state, it's going to be a treasure trove for criminals for a number of years to come," added Kennedy.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitydata breachhealth careindustry verticals

More about CMSCSOTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steve Ragan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts