Lt. Governor Phil Scott Issues Statement on Vermont Health Connect Security
Montpelier, Vt. – Lt. Governor Phil Scott today issued following statement in response to the Associated Press article, “Security flaws found in 3 state health insurance websites” (http://bigstory.ap.org/article/e2e71ffb2af140b18d41f6fd4f7089b3/security-flaws-found-3-state-health-insurance-websites):
“Enough is enough.
“Once again we are learning of another problem with Vermont Health Connect, and once again we are finding out from a national news agency rather than our own Administration. Just one day ago the Administration was updating legislators on the ongoing issues with 1095-A tax forms, without mentioning potential security vulnerabilities.
“The Associated Press did Vermonters a great service by shining a light on the issues we weren’t aware still existed; after all, we were told everything was good and getting better. This article proves that the Administration is not only gambling with Vermonters’ access to affordable health care, but also with their most personal information. And this isn’t the first time.
· October 2013 — First security breach, where a customer’s Social Security information and other data was compromised
· Late 2013 — “Privacy Breach” of personal information due to human error
· December 2013 — Second security breach, where a Romanian attacker hacked the system 15 times and went undetected for a month
· September 2014 — Federal government shuts down Vermont Health Connect due to inability to meet security requirements
· April 2015 — Auditor Doug Hoffer’s first audit identifies security issues, including 70 moderate security weaknesses, 91 percent of which the State had known about for 13 months
· November 2015 — Outside audit by a Virginia firm highlights concerns over security protocols
· November 2015 — Auditor Hoffer’s supplemental audit identifies 121 security weaknesses, three of which were “high risk” and 63 of which were “moderate-risk”
“Vermonters deserve better than this. Our health, personal finances and sense of security have been violated and decisive action is long overdue. There is no shame in saying: “We tried, but we couldn’t do it.” The shame is in continuing down the same road, throwing good money after bad, and putting even more Vermonters at risk.
“I cannot, in good conscience, support continued efforts to consider whether or not Vermont Health Connect is functional, because we know it isn’t. I, and my fellow Vermonters, have run out of patience, and lost any faith and trust we might have had.
“As a public servant, I’m angry. As a small-business owner, I’m frustrated. As a Vermonter, I feel deceived. And I know I’m not alone. “