Vermont Chief Information Officer Richard Boes assured state legislators Tuesday a cybersecurity breach at the contractor hired to manage the state’s health insurance exchange had no impact on the personal information housed there.
Boes explained that in December, someone logged into a development system with a valid user name and password, but their Internet address came from Romania, which rose suspicions.
The user logged in about 15 times over several weeks through a computer housed at the Phoenix-based data center of CGI, the contractor managing Vermont Health Connect, but no state information was compromised.
After learning of the breach, CGI removed and rebuilt the computer. Boes stressed the compromised machine was not providing services to Vermont in any way, but some legislators were uncomfortable with not knowing until now of the incident.
“Why are we hearing about it on March 11?” Rep. Mary Morrissey, a Republican from Bennington, Vt., asked, noting she had posed a question to state officials about security breaches weeks ago and been told there hadn’t been any.
Boes said it remained true there haven’t been any security breaches involving Vermont Health Connect as the incident in Phoenix involved a system that wasn’t “part of the delivery of Vermont Health Connect.”
He noted that Mark Larson, the state commissioner overseeing the rollout of the new online marketplace and the person who told Morrissey there hadn’t been any security breaches, had never been informed about the incident involving a suspicious intrusion into a CGI system.
CGI reported the incident to Boes at the Department of Information and Innovation, and Boes acknowledged he didn’t notify Larson.
“Since the incident, we have made sure that we modify our procedure so Mark will get a courtesy notification,” Boes said.