$264,000 Settlement Agreed by Vermont Attorney General for SAManage USA Data Breach

by | Oct 9, 2017

A settlement of $264,000 has been agreed with the Vermont Attorney Genera and SAManage USA in relation to the 2016 data breach that resulted in the Social Security numbers of 660 Vermont residents being exposed online.

SAManage USA, a technology group that supplies business support services, did not secure an Excel spreadsheet that held information relating to the state health exchange, Vermont Health Connect.

The spreadsheet was link to a job ticket that was part of the firm’s cloud-based IT support system services and was agiven a unique URL. The URL could theoretically have been guessed by any individual and open using a web browser without any need for special authentication.

The spreadsheet was also indexed by the Bing search engine and was shown in the search engine results pages. Bing also displayed a preview of the contents of the spreadsheet, which clearly showed names and individual Social Security numbers.

Vermont Attorney General T.J Donovan said a Vermont citizen obtained the spreadsheet via the search engine listings and reported the violation to his office, leading to an investigation. The Vermont Attorney General’s office contacted AWS and asked for the document be taken down. Amazon then contacted SAManage USA to warn the firm of the breach. However, while an engineer was advised of the SAManage USA data breach, the incident was not reporteded to the appropriate personnel within the company.

The Vermont Security Breach Notice Act states that companies should alert the Attorney General’s office of a breach within 14 days of discovery and consumers within 45 days. SAManage USA was aware of the breach by Amazon on July 25, 2016, but it took until late September 2016 for the Attorney General’s office to be advised, shortly after the Attorney General contacted SAManage USA about the data violation.

It took almost two months for breach victims to be advised of the breach. Attorney General Donovan said that were it not for the actions of his office, the data breach would not have been reported.

SAManage USA has agreed to a $264,000 settlement to resolve the legal case and will adopt a thorough corrective action plan, which includes putting in place a comprehensive information security program to stop further privacy breaches.

In a media statement about the settlement, Attorney General Donovan stated, “Vermonters are increasingly aware of the dangers of mishandling Social Security numbers, and we will continue to protect them by enforcing our data breach and consumer protection laws.” He went on to explain that “This is an appropriate penalty given the given the specific facts of this incident and that the company fully cooperated with our investigation.”

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy