Hefty Penalty for Smallish Breach in VermontAttorney General Says Cloud Services Firm Failed to Notify Customer of Breach
The online exposure of an unsecured spreadsheet containing personal data on 660 subscribers to the Affordable Care Act health insurance exchange in Vermont has led the state to impose a $264,000 penalty on an IT services firm.
Under the terms of a settlement with the state's attorney general, Samanage USA Ltd. agreed to improve its information security and compliance program. The North Carolina-based company is a provider of cloud-based IT support service.
Samanage provided services to WEX Health Inc., a contractor to the state of Vermont that was managing the IT help desk and maintenance tasks for the state's Health Connect insurance exchange, according to the Vermont attorney general's office.
On June 2, 2016, a WEX Health employee attached a Microsoft Excel spreadsheet containing the names and Social Security numbers of 660 Vermonters to a job ticket that was part of Samanage's cloud-based IT support system, the settlement document notes.
"The IT support system communicated job tickets via a unique URL generated by a hash algorithm. Samanage did not authenticate the entity requesting information via the URL - by, for example, requesting a username and password," the settlement notes. "Anyone, anywhere, could theoretically guess the URL and type it into a standard web browser, and have access to the document."
In late July 2016, "a Vermonter, while searching for her own name, came across this search result. The URL contained 'AWS,' indicating that it was on the Amazon Web Services platform. The Vermonter contacted Amazon and the [Vermont] attorney general," the settlement notes.
The Vermont AG's office contacted Amazon to determine how the spreadsheet containing personally identifiable information of Vermont Health Connect users got posted and to ensure that the file was taken down.
"On July 25, 2016, Amazon emailed an engineer at Samanage to inform Samanage that PII that it had stored on its services was publicly accessible, and asked them to remove it. The engineer did not inform the appropriate personnel at Samanage that a security breach had occurred."
The notification by Amazon, however, triggered Samanage's duty to immediately investigate the breach, remediate it, and notify the owner of the data, WEX Health, the settlement indicates.
Instead, Samanage remediated the breach by changing the spreadsheet's security settings to require authentication, but it did not notify WEX Health that its PII had been exposed, the settlement notes.
In addition to failing to notify WEX Health about the breach, Samanage did not "immediately require authentication of documents generally," according to the settlement.
In a statement, the Vermont attorney general's office says: "It appeared that due to a miscommunication within [Samanage], this breach would have gone unreported were it not for the attorney general's intervention."
The settlement sends an important message to other companies doing business in Vermont, Ryan Kriger, Vermont's assistant attorney general tells Information Security Media Group. "We're not trying to bankrupt a business ... but this concerns the public ... and the importance of timely notification to affected individuals of compromises to their personally identifiable information."
The settlement illustrates that entities can expect Vermont to implement "severe penalties for failure to notify [the customer, in this case WEX Health]," he says. Under state law, Vermont can fine organizations $10,000 per breach violation, he notes. In this settlement, Vermont issued a $400 penalty to Samanage for each Social Security number that was exposed, he explains.
Samanage Offers Reaction
Ryan Van Biljon, Samanage vice president of sales and services, says in a statement provided to ISMG that his company "has worked diligently with the AG of Vermont to comply with all of their requests" involving this case.
Samanage made a security change after the event that forces authentication on any and all external links to files contained on the platform, he adds. "Without a Samanage username and password, no external entity can view a file stored in the system. This change was implemented back in September 2016."
WEX Health did not immediately respond to an ISMG request for comment. In October 2016, the company sent breach notification letters to affected individuals after being told of the breach in late September by Samanage after the Vermont AG's office contacted Samanage about the incident.
Under the state settlement, Samanage must also [make] a variety of improvements to its data security and compliance practices, including:
- Designate someone to coordinate and be accountable for the company's information security program;
- Conduct a security risk assessment;
- Segment networks that store, process or transmit PII;
- Implement a security patching protocol;
- Use virtual private networks or other methods at least as secure as VPNs for transmission of PII;
- Implement and maintain security monitoring tools, such as intrusion detection systems;
- Implement access control measures for the portions of Samanage's computer system that store, process and transmit PII; and
- Implement user authentication for all aspects of Samanage's systems that could be exposed to public access and that could possibly store or transmit PII.
The settlement offers critical reminders to other organizations, says privacy attorney David Holtzman, vice president at the security consultancy CynergisTek.
"With many organizations handling sensitive consumer information being hit with cyberattacks or security incidents caused by insiders, it is absolutely crucial for organizations to have technologies and administrative resources in place to detect unauthorized information system activity," he notes.
"When a security incident is discovered, organizations must implement a well thought out and rehearsed incident response program to mitigate the damage as well as return your information systems into secure operation by remediating gaps and vulnerabilities. Train your workforce on the organization's incident response plan to ensure that when an incident occurs, the notifications to the appropriate information security management takes place without delay."
Holtzman says [the] incident does not appear to be a HIPAA breach.
"Samanage was a subcontractor to the information services provider to a health plan offered through the Affordable Care Act. When establishing the ACA marketplaces, they were designated as not covered entities subject to the requirements of the HIPAA privacy, security and breach notification rules," he says.
Vermont is just the latest state to impose penalties after a breach. Attorneys general in Massachusetts, California and New York have taken similar action, says healthcare attorney Elizabeth Hodge of the law firm Akerman LLP.
In June, the New York attorney general announced a $130,000 financial settlement and corrective action plan with CoPilot Provider Support Services, a company that waited a year to provide notice of a breach affecting over 25,000 New York residents, she notes.
"Also, we are seeing the attorneys general from multiple states join together to bring enforcement actions where citizens in different states are affected by a breach," she says. "For example, attorneys general from multiple states are investigating the recent Equifax data breach."