- Technology company SAManage USA, Inc. recently agreed to pay $264,000 as part of a data breach settlement with the Vermont Attorney General, following a July 2016 incident.
SAManage provides cloud-based IT support, which was used by WEX Health – a contractor to Vermont. SAManage’s IT ticketing system let an excel spreadsheet with 660 Social Security numbers be viewed publicly without requiring authentication, according to an Attorney General press release.
“A Microsoft Bing web crawler discovered the URL of the spreadsheet and incorporated it into its search results, where it was found by a Vermonter, who reported the breach to the Attorney General,” the statement explained. “The Attorney General then investigated the SAManage breach. It appeared that due to a miscommunication within the company, this breach would have gone unreported were it not for the Attorney General’s intervention.”
SAManage changed the spreadsheet’s security settings to require authentication, the settlement read. However, the company did not immediately require authentication of documents in general and did not notify WEX Health that PII had been exposed.
Vermont Attorney General T.J. Donovan said in a statement that his office takes data breaches very seriously.
“Vermonters are increasingly aware of the dangers of mishandling Social Security numbers, and we will continue to protect them by enforcing our data breach and consumer protection laws,” he said. “This is an appropriate penalty given the given the specific facts of this incident and that the company fully cooperated with our investigation.”
Along with paying the fine, SAManage agred to alter its information security and legal compliance programs.
Vermont’s Security Breach Notification Act requires that a “data collector,” such as SAManage, must notify the Attorney General within 14 days of notice or discovery of a breach. Consumers need to be notified within 45 days.
In this case, WEX Health was not informed until September 2016, approximately two months after the security incident.
“Absent intervention by the Attorney General, there is no indication that SAManage planned to inform anyone of the breach,” the settlement said. “SAManage’s delay caused Vermont consumers to learn that their Social Security numbers had been exposed almost two months later than they should have.”
SAManage must appropriately segment network-based portions of its computer system that stores, processes, or transmits PII by firewalls, access controls, or other appropriate measures, according to the agreement.
Additionally, SAManage needs to implement security patching protocol for its computer system and adhere to the following guidelines:
- Use VPNs or other methods at least as secure for transmission of PII across open, public networks
- Install and maintain appropriately configured and up-to-date anti-malware software on its computer system
- Implement and maintain security monitoring tools, such as intrusion detection systems or other devices to track and monitor unauthorized access. Quarterly testing and continual monitoring of the computer system must also be done.
- Implement access control measures for portions of the computer system that store, process, and transmit PII
- Retain logs for at least 90 days online and one additional year offline
- Implement user authentication for all aspects of SAManage systems that could be exposed to public access that could possibly store or transmit PII.
Organizations must also be mindful of state data breach notification laws, in addition to federal requirements like HIPAA.
CoPilot Provider Support Services, Inc. agreed to a $130,000 state settlement with New York in June 2017 following a reported data breach that impacted 221,178 patient records.
CoPilot waited over one year to provide data breach notice, according to the New York Attorney General.
“Healthcare services providers have a duty to protect patient records as securely as possible and to provide notice when a breach occurs,” Attorney General Schneiderman said in a statement. “Waiting over a year to provide notice is unacceptable. My office will continue to hold businesses accountable to their responsibility to protect customers’ private information.”
CoPilot claimed that the delay was due to an ongoing law enforcement investigation. However, the state Attorney General reported that the FBI did not instruct CoPilot to delay notification as such a move would not compromise the investigation.
“General Business Law § 899-aa requires companies to provide notice of a breach as soon as possible, and a company cannot presume delayed notification is warranted just because a law enforcement agency is investigating,” the AG office stated.