[BreachExchange] Tech Company Agrees to $264K Vermont Data Breach Settlement

[Destry Winant]

https://healthitsecurity.com/news/tech-company-agrees-to-264k-vermont-data-breach-settlement

Technology company SAManage USA, Inc. recently agreed to pay $264,000
as part of a data breach settlement with the Vermont Attorney General,
following a July 2016 incident.

SAManage provides cloud-based IT support, which was used by WEX Health
– a contractor to Vermont. SAManage’s IT ticketing system let an excel
spreadsheet with 660 Social Security numbers be viewed publicly
without requiring authentication, according to an Attorney General
press release.

“A Microsoft Bing web crawler discovered the URL of the spreadsheet
and incorporated it into its search results, where it was found by a
Vermonter, who reported the breach to the Attorney General,” the
statement explained. “The Attorney General then investigated the
SAManage breach. It appeared that due to a miscommunication within the
company, this breach would have gone unreported were it not for the
Attorney General’s intervention.”

SAManage changed the spreadsheet’s security settings to require
authentication, the settlement read. However, the company did not
immediately require authentication of documents in general and did not
notify WEX Health that PII had been exposed.

Vermont Attorney General T.J. Donovan said in a statement that his
office takes data breaches very seriously.

“Vermonters are increasingly aware of the dangers of mishandling
Social Security numbers, and we will continue to protect them by
enforcing our data breach and consumer protection laws,” he said.
“This is an appropriate penalty given the given the specific facts of
this incident and that the company fully cooperated with our
investigation.”

Along with paying the fine, SAManage agred to alter its information
security and legal compliance programs.

Vermont’s Security Breach Notification Act requires that a “data
collector,” such as SAManage, must notify the Attorney General within
14 days of notice or discovery of a breach. Consumers need to be
notified within 45 days.

In this case, WEX Health was not informed until September 2016,
approximately two months after the security incident.

“Absent intervention by the Attorney General, there is no indication
that SAManage planned to inform anyone of the breach,” the settlement
said. “SAManage’s delay caused Vermont consumers to learn that their
Social Security numbers had been exposed almost two months later than
they should have.”

SAManage must appropriately segment network-based portions of its
computer system that stores, processes, or transmits PII by firewalls,
access controls, or other appropriate measures, according to the
agreement.

Additionally, SAManage needs to implement security patching protocol
for its computer system and adhere to the following guidelines:

Use VPNs or other methods at least as secure for transmission of PII
across open, public networks
Install and maintain appropriately configured and up-to-date
anti-malware software on its computer system
Implement and maintain security monitoring tools, such as intrusion
detection systems or other devices to track and monitor unauthorized
access. Quarterly testing and continual monitoring of the computer
system must also be done.
Implement access control measures for portions of the computer system
that store, process, and transmit PII
Retain logs for at least 90 days online and one additional year offline
Implement user authentication for all aspects of SAManage systems that
could be exposed to public access that could possibly store or
transmit PII.

Organizations must also be mindful of state data breach notification
laws, in addition to federal requirements like HIPAA.

CoPilot Provider Support Services, Inc. agreed to a $130,000 state
settlement with New York in June 2017 following a reported data breach
that impacted 221,178 patient records.

CoPilot waited over one year to provide data breach notice, according
to the New York Attorney General.

“Healthcare services providers have a duty to protect patient records
as securely as possible and to provide notice when a breach occurs,”
Attorney General Schneiderman said in a statement. “Waiting over a
year to provide notice is unacceptable. My office will continue to
hold businesses accountable to their responsibility to protect
customers’ private information.”

CoPilot claimed that the delay was due to an ongoing law enforcement
investigation. However, the state Attorney General reported that the
FBI did not instruct CoPilot to delay notification as such a move
would not compromise the investigation.

“General Business Law § 899-aa requires companies to provide notice of
a breach as soon as possible, and a company cannot presume delayed
notification is warranted just because a law enforcement agency is
investigating,” the AG office stated.