An IT company that provided business support services to Vermont’s health insurance exchange has agreed to pay $264,000 and alter its security program after it failed to report an incident that exposed the information of 660 people last year.
Samanage, which provides cloud-based support services, was subcontracted by Wex Health, Vermont’s primary IT help desk contractor that supports Vermont Health Connect, the state’s insurance exchange. In June 2016, a Wex employee included an Excel spreadsheet containing the names and social security number of 660 Vermont residents to Samanage as part of a job ticket.
Samanage failed to authenticate the URL containing the spreadsheet, which was later discovered when a Vermont Health Connect customer put her name into an internet search engine, according to a settlement (PDF) released by the Vermont attorney general’s office.
The North Carolina company changed the security settings after being notified by Amazon, which was hosting the document on its cloud service. But the Samanage failed to notify Wex about the breach until several months later after it was contacted by the attorney general’s office.
“Absent intervention by the Attorney General, there is no indication that Samangae planned to inform anyone of the breach,” the settlement stated.
In addition to the fine, the agreement required Samanage to:
- redesign its security program.
- conduct a risk assessment to ensure personally identifiable information is not compromised.
- improve employee training.
- implement access control measures for portions of the system the store personal information.
The settlement comes on the heels of a $130,000 penalty levied against a health IT support services company by New York Attorney General Eric T. Scheiderman for failing to report a data breach for more than a year.