IT support contractor Samanage agrees to $264,000 fine over Vermont Health Connect breach

Judge banging gavel on stack of money
Samanage will pay $264,000 for failing to notify anyone about a data breach last year.

An IT company that provided business support services to Vermont’s health insurance exchange has agreed to pay $264,000 and alter its security program after it failed to report an incident that exposed the information of 660 people last year.

Samanage, which provides cloud-based support services, was subcontracted by Wex Health, Vermont’s primary IT help desk contractor that supports Vermont Health Connect, the state’s insurance exchange. In June 2016, a Wex employee included an Excel spreadsheet containing the names and social security number of 660 Vermont residents to Samanage as part of a job ticket.

RELATED: Health IT company pays $130K to resolve delayed data breach notification

Samanage failed to authenticate the URL containing the spreadsheet, which was later discovered when a Vermont Health Connect customer put her name into an internet search engine, according to a settlement (PDF) released by the Vermont attorney general’s office.

The North Carolina company changed the security settings after being notified by Amazon, which was hosting the document on its cloud service. But the Samanage failed to notify Wex about the breach until several months later after it was contacted by the attorney general’s office.

“Absent intervention by the Attorney General, there is no indication that Samangae planned to inform anyone of the breach,” the settlement stated.

In addition to the fine, the agreement required Samanage to:

  • redesign its security program.
  • conduct a risk assessment to ensure personally identifiable information is not compromised.
  • improve employee training.
  • implement access control measures for portions of the system the store personal information.

The settlement comes on the heels of a $130,000 penalty levied against a health IT support services company by New York Attorney General Eric T. Scheiderman for failing to report a data breach for more than a year.

Suggested Articles

Hospitals are already signaling a legal challenge to a final rule from CMS on price transparency, but the agency is ready.

Aleksandr Pikus, 44, of Brooklyn, was found guilty of one count of conspiracy to commit money laundering and two counts of money laundering.

CMS issued a proposed rule and a final rule aimed at increasing price transparency from hospitals and insurers.