The operators of Maryland’s health insurance Web site improperly stored Social Security numbers and other customer information while awarding millions of dollars in contracts without ensuring the money would be spent properly, according to a state audit released Friday.
“Obviously they are moving in the right direction, but it’s really unfortunate that taxpayers and citizens have been exposed to so much extra costs and personal privacy risks when so many other states were able to do this more effectively,” House Minority Leader Nicholaus R. Kipke (R-Anne Arundel) said Friday.
The long-awaited review of the exchange’s finances found that officials did not follow rules in awarding more than $100 million in contracts, some without competition. In several of those cases, auditors misinterpreted spending policies, health exchange officials said in a response to the audit. But now, two years after the exchange opened, officials said their agency is taking corrective action proposed by the auditors to address the concerns.
Facing time constraints and pressure to get the $170 million Web site up and running, officials did not encrypt information for more than 500,000 people who used the exchange to shop for health insurance, the report by the state Office of Legislative Audits said.
The exchange said it took other steps to safeguard consumers’ names, dates of birth and Social Security numbers, and the audit found no evidence of data breaches.
Auditors said additional measures taken by the state this summer to shield access to data have successfully addressed the audit’s privacy recommendations.
In a statement, the exchange said it had “made significant progress since the audit period that ended more than a year ago.”
Maryland’s exchange, built during the administration of former governor Martin O’Malley (D), was a disaster at the outset, crashing within moments of its October 2013 launch and taking months and millions of dollars to rebuild.
Originally envisioned as a crowning achievement, it became a black eye for O’Malley as he completed his second term and launched a presidential bid that so far has struggled to gain traction. An O’Malley spokeswoman did not immediately respond to e-mails requesting comment Friday.
Problems with the exchange also led to criticism of then-Lt. Gov. Anthony G. Brown (D), who was tasked with overseeing the project and who lost the 2014 gubernatorial race to Larry Hogan (R).
The state audit office will separately issue another report examining the management of the exchange project leading up to its calamitous launch. An earlier attempt to review the exchange’s spending in April 2014 hit a roadblock when more than a quarter of the documents turned over by the state contained information that had been redacted.
But other probes have documented extensive problems.
A federal audit released in March recommended that Maryland pay the U.S. government $28.4 million that was misallocated because the state waited too long to formally update enrollment projections and numbers with federal grant providers.
And a Washington Post investigation found that the project — which O’Malley had promised would be a model for the nation — cycled through myriad managers and missteps, with officials ignoring repeated warnings of problems and potential failures.
“It was something that had never been built before, and we were relying a lot on promises from vendors on what the system could accomplish,” Josh Sharfstein, O’Malley’s former health secretary, said Friday. “What is important to recognize is that the exchange really did turn around dramatically and quickly.”
The exchange functioned well during the last enrollment period, and officials are preparing for the start of the next open-enrollment period, which begins Nov. 1.
In July, Maryland reached a settlement with Noridian Healthcare Solutions, the contractor it fired from the exchange project, which agreed to repay the state and federal governments a total of $45 million.
Specific findings of the new audit include:
●The health-exchange board approved two contracts worth $5.9 million for software maintenance and project management as emergency spending at its July 2014 meeting. But the contracts had already been awarded, without competition, earlier in 2014.
●The state distributed $23.4 million to nonprofit groups to boost health insurance enrollment in poor and minority communities, but the exchange did not follow through to make sure the money was spent properly.
●State officials failed to review payroll records before awarding $8.2 million to vendors that charged by the hour.
●Maryland erroneously gave out $1.7 million in federal subsidies because of a coding error in calculating eligibility. Auditors said that costs would be borne by government agencies or insurers, not consumers.
The exchange disagreed with auditors’ conclusions that these were examples of violated policies. But officials said the agency is more rigorously documenting and reviewing its spending.
A spokesman for Hogan said the problems identified in the audit “are simply not acceptable practices.”
