HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Vermont Attorney General Agrees $264,000 SAManage USA Data Breach Settlement

The 2016 SAManage USA data breach that saw the Social Security numbers of 660 Vermont residents exposed online has resulted in a settlement of $264,000 with the Vermont Attorney General.

In 2016, SAManage USA, a technology company that provides business support services, failed to secure an Excel spreadsheet relating to the state health exchange, Vermont Health Connect.

The spreadsheet was attached to a job ticket that was part of the firm’s cloud-based IT support system and was assigned a unique URL. The URL could theoretically have been guessed by anyone and accessed via a web browser without any need for authentication.

The spreadsheet was also indexed by the Bing search engine and was displayed in the search results. Bing also displayed a preview of the contents of the spreadsheet, which clearly displayed names and Social Security numbers.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Vermont Attorney General T.J Donovan said a Vermont resident found the spreadsheet via the search engine listings and reported the breach to his office, triggering an investigation. The Vermont Attorney General’s office contacted AWS and requested the document be removed. Amazon in turn contacted SAManage USA to alert the firm to the breach. However, while an engineer was alerted to the SAManage USA data breach, the incident was not communicated to the appropriate personnel within the company.

The Vermont Security Breach Notice Act requires companies to alert the Attorney General’s office of a breach within 14 days of discovery and consumers within 45 days. SAManage USA was alerted to the breach by Amazon on July 25, 2016, but it took until late September 2016 for the Attorney General’s office to be notified, shortly after the Attorney General contacted SAManage USA about the breach.

It took almost two months for breach victims to be notified. Attorney General Donovan said that were it not for the intervention of his office, the breach would not have been reported.

SAManage USA has agreed to a $264,000 settlement to resolve the case and will adopt a robust corrective action plan, which includes implementing a comprehensive information security program to prevent further privacy breaches.

In a statement about the settlement, Attorney General Donovan said, “Vermonters are increasingly aware of the dangers of mishandling Social Security numbers, and we will continue to protect them by enforcing our data breach and consumer protection laws,” he explained that “This is an appropriate penalty given the given the specific facts of this incident and that the company fully cooperated with our investigation.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.