$264,000 Settlement Agreed by Vermont Attorney General for SAManage USA Data Breach

by Ryan Coyne | Oct 9, 2017

A settlement of $264,000 has been agreed with the Vermont Attorney Genera and SAManage USA in relation to the 2016 data breach that resulted in the Social Security numbers of 660 Vermont residents being exposed online.

SAManage USA, a technology group that supplies business support services, did not secure an Excel spreadsheet that held information relating to the state health exchange, Vermont Health Connect.

The spreadsheet was link to a job ticket that was part of the firm’s cloud-based IT support system services and was agiven a unique URL. The URL could theoretically have been guessed by any individual and open using a web browser without any need for special authentication.

The spreadsheet was also indexed by the Bing search engine and was shown in the search engine results pages. Bing also displayed a preview of the contents of the spreadsheet, which clearly showed names and individual Social Security numbers.

Vermont Attorney General T.J Donovan said a Vermont citizen obtained the spreadsheet via the search engine listings and reported the violation to his office, leading to an investigation. The Vermont Attorney General’s office contacted AWS and asked for the document be taken down. Amazon then contacted SAManage USA to warn the firm of the breach. However, while an engineer was advised of the SAManage USA data breach, the incident was not reporteded to the appropriate personnel within the company.

The Vermont Security Breach Notice Act states that companies should alert the Attorney General’s office of a breach within 14 days of discovery and consumers within 45 days. SAManage USA was aware of the breach by Amazon on July 25, 2016, but it took until late September 2016 for the Attorney General’s office to be advised, shortly after the Attorney General contacted SAManage USA about the data violation.

It took almost two months for breach victims to be advised of the breach. Attorney General Donovan said that were it not for the actions of his office, the data breach would not have been reported.

SAManage USA has agreed to a $264,000 settlement to resolve the legal case and will adopt a thorough corrective action plan, which includes putting in place a comprehensive information security program to stop further privacy breaches.

In a media statement about the settlement, Attorney General Donovan stated, “Vermonters are increasingly aware of the dangers of mishandling Social Security numbers, and we will continue to protect them by enforcing our data breach and consumer protection laws.” He went on to explain that “This is an appropriate penalty given the given the specific facts of this incident and that the company fully cooperated with our investigation.”

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

COMPREHENSIVE HIPAA TRAINING

Used in 1000+ Healthcare Organizations and 100+ Universities

Ryan Coyne

Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan's professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn and follow on Twitter