Vt. Reaches Health-Care Exchange Vendor Data Security Settlement

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Daniel R. Stoller

Technology company SAManage USA Inc. Sept. 29 agreed to pay $264,000 to Vermont to settle claims it failed to protect Social Security numbers associated with the state’s health-care exchange.

The settlement highlights the ongoing data security risks when hiring third-party vendors. Vulnerabilities in vendor information systems have been blamed in many incidents, including the hack of the credit card processing system at Target Corp., the premature release of episodes of Netflix Inc.s “Orange is the New Black,” and the targeting of a contractor hired by the Republican National Committee.

The settlement stems from a Vermont citizen’s tip to the state’s attorney general’s office that an Excel spreadsheet containing names and 660 Social Security numbers related to the state’s health-care exchange was publicly available online. The spreadsheet was posted to SAManage’s internal ticketing system by an employee of WEX Health Inc., which was picked up by a Microsoft Corp.'s Bing web crawler and incorporated into publicly available search results. The web crawler was able to access the URL of the spreadsheet because there weren’t sufficient authentication procedures in place.

The investigation found that the “breach would have gone unreported” because of “a miscommunication within the company,” the attorney general’s office said Sept. 29 in a statement. The attorney general then brought claims under state consumer protection and security breach notice laws.

In addition to the financial settlement, SAManage, which provided support services as a subcontractor for Vermont Health Connect, agreed to implement a comprehensive information security program designed to protect consumers’ personally identifiable information. The tech company also agreed to “implement policies and procedures to ensure continued compliance with Vermont Law,” the settlement said.

Vermont Attorney General T.J. Donovan (D) said in a statement Sept. 29 that his office will continue to enforce “data breach and consumer protection laws,” and that the settlement was “appropriate given the specific facts” and the company’s willingness to cooperate in the investigation.

Ryan Van Biljon, vice president of sales and services at SAManage, told Bloomberg BNA Sept. 29 that the company “worked diligently with the AG of Vermont to comply with all of their requests” surrounding the settlement. SAManage also “did make a security change after the event which forces authentication on any and all external links to files contained on the platform,” he said.

To contact the reporter on this story: Daniel R. Stoller in Washington at dstoller@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

For More Information

Text of the settlement is available at http://src.bna.com/sZD.

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security