The Vermont attorney general will fine a Cary, N.C., data management company $264,000 as part of a data breach settlement that involved the state’s healthcare insurance exchange.
Vermont attorney general T.J. Donavan announced last week the penalty as part of a settlement agreement with SAManage USA Inc. regarding a July 2016 data beach incident that exposed the Social Security numbers of 660 Vermont consumers that were also users of Health Connect, the state’s healthcare exchange.
In that incident SAManage’s information technology system allowed an Excel spreadsheet containing the 660 Social Security numbers to be viewed publicly without requiring authentication, the Vermont attorney general says.
A Microsoft Bing web crawler discovered the URL of the spreadsheet and incorporated it into its search results, where it was found by a Vermont consumer, who reported the breach to the attorney general. “Vermonters are increasingly aware of the dangers of mishandling Social Security numbers, and we will continue to protect them by enforcing our data breach and consumer protection laws,” Donavan says. “This is an appropriate penalty given the specific facts of this incident.”
As part of the settlement SAManage also agreed to alter its information security and legal compliance programs to avoid future incidents, the attorney general says. SAManage says it is cooperating with the attorney general.
More than 30,000 people enrolled in individual market plans through Vermont Health Connect during the 2017 open enrollment period, according to HealthInsurance.org.
SAManage provided an information technology help desk and similar services to WEX Health Inc., a primary information technology contractor to the Health Connect exchange, says the state attorney general.
Keep up with latest coverage on digital healthcare by signing up for Internet Health Management News today.