Service desk solution provider SAManage USA has paid $264,000 to settle a case with the State of Vermont, after a spreadsheet containing names and Social Security numbers of 660 people was attached to a support ticket and left publicly viewable for nearly two months.
SAManage’s cloud-based IT support system was being used by WEX Health, which sells a healthcare financial management platform used by Vermont’s Health Connect insurance portal.

On June 2, 2016, a WEX Health employee attached a Microsoft Excel spreadsheet to a job ticket in the SAManage support system.
The case offers yet another example of how – in the area of healthcare compliance – a seemingly minor oversight can expose IT services firms to substantial financial and reputational risks. 
“The IT support system communicated job tickets via a unique URL generated by a hash algorithm,” according to the settlement, signed Sept. 27.
“SAManage did not authenticate the entity requesting information via the URL (by, for example, requesting a username and password),” the document goes on. “Anyone, anywhere, could theoretically guess the URL and type it into a standard web browser, and have access to the document.”
But in this case, a malicious actor wouldn’t have had to guess the URL because it was ultimately discovered by a Microsoft Bing webcrawler and posted in search results.
“The Bing search results revealed not only the link to the spreadsheet, but previewed the contents of the spreadsheet,” the settlement reads. “The search results themselves displayed the names and social security numbers of some of the Vermonters in the spreadsheet.
“This means that it was possible to view exposed social security numbers without clicking the link for the spreadsheet, making it impossible to know how many people actually saw the exposed data.”
Sometime in late July of last year, a Vermont woman searching for her own name stumbled across the spreadsheet.  
She noticed the URL contained the letters “AWS,” indicating the document was being hosted on Amazon Web Services. 
The woman notified the office of the Vermont Attorney General, which in turn reached out to AWS.
On July 25, an Amazon employee emailed an engineer at SAManage about the breach.
“The engineer did not inform the appropriate personnel at SAManage that a security breach had occurred,” the settlement states. “SAManage remediated the breach by changing the spreadsheet’s security settings to require authentication.”
SAManage, however, failed to notify the Attorney General within 14 days – as required by law – failed to inform WEX Health or the public that a breach had occurred, and did not implement broader authentication requirements to prevent a similar occurrence.
In fact, it wasn’t until the Attorney General’s office obtained the information from AWS and contacted SAManage directly in late September of 2016, that SAManage notified its client and the public.
“Absent intervention by the Attorney General, there is no indication that SAManage planned to inform anyone of the breach,” the settlement states.
SAManage does not appear to have issued a public statement in the case but admitted to all facts in the settlement document.
It’s unclear whether SAManage might also face sanctions or other financial penalties at the hands of the federal government, since the U.S. Department of Health and Human Services Office of Civil Rights regulates violations of applicable HIPAA laws.
Vermont Attorney General T.J. Donovan pointed to the SAManage case as an example that his office takes such data breaches very seriously.
“Vermonters are increasingly aware of the dangers of mishandling Social Security numbers, and we will continue to protect them by enforcing our data breach and consumer protection laws,” he said in a statement. “This is an appropriate penalty given the specific fats of this incident and that the company fully cooperated with our investigation.”

 

Send tips and news to MSPmentorNews@Penton.com.