NY: Arc of Erie County fined $200,000 for online security breach
Jonathan D. Epstein has an update to a breach originally reported in March of this year.
The Arc of Erie County – a nonprofit social services agency formally known as Heritage Centers – will pay a $200,000 fine to the state, review its policies and analyze its potential electronic security risks after a breach of client information on its website exposed names, Social Security numbers and other confidential data to public viewing over a period of 31 months.
The Buffalo-based agency, which serves people with intellectual and developmental disabilities, agreed to the settlement with the State Attorney General’s office, which requires the agency to conduct a “thorough risk analysis of security risks and vulnerabilities of all electronic equipment and data systems,” and report back within 180 days. It must also study and revise its procedures based on that assessment, and then notify the state if it takes action or why no action was necessary.
Read more on The Buffalo News.
Statement by NYS AG Barbara Underwood:
BUFFALO – Attorney General Barbara D. Underwood today announced a settlement with The Arc of Erie County, a Buffalo-based nonprofit that provides services to people with developmental disabilities and their families, after finding that the company exposed clients’ sensitive personal information on the internet for years. The settlement requires The Arc of Erie County to conduct a thorough risk analysis of security risks and vulnerabilities of all electronic equipment and data systems, review its policies and procedures, and pay a $200,000 penalty.
“The Arc of Erie County’s work serves our most vulnerable New Yorkers – and that comes with the responsibility to protect them and their sensitive personal information,” said Attorney General Underwood. “This settlement should provide a model to all charities in protecting their communities’ personal information online.”
The Arc of Erie County, formerly known as Heritage Centers, is a chapter of The Arc New York – a national community-based organization advocating for and serving people with intellectual developmental disabilities. The company maintains a principal business address in Buffalo, and serves clients throughout the Western New York area.
In early February 2018, The Arc of Erie County received a tip from the public that its clients’ personal information was exposed on its website – including full names, social security numbers, gender, race, primary diagnosis codes, IQs, insurance information, addresses, phone numbers, dates of birth, and ages.
In a subsequent report, a forensic investigator found that the information was publically available on the internet from July 2015 to February 2018 and affected 3,751 clients residing in New York. The report confirmed that, upon searching the internet with any search engine, a results page would include links to spreadsheets with clients’ sensitive information. The open webpage was intended only for internal use and was supposed to be protected by a log-in requirement. The report also found that unknown individuals outside the country accessed the links with the sensitive information on many occasions. There was no evidence of malware or other malicious software on the system or any ongoing communications with outside IP addresses.
On or about March 9, 2018, The Arc of Erie County formally notified affected clients in New York that the organization had inadvertently disclosed their sensitive information. It also provided the aggrieved clients with a free one-year subscription to LifeLock to protect themselves from identity theft. The organization also posted a link to information regarding the breach on its website and a notice in the Buffalo News on March 14, 2018.
Pursuant to the federal Health Insurance Portability Accountability Act, as amended by the Health Information Technology for Economic and Clinical Health Act (“HIPAA”), The Arc of Erie County is required to safeguard patients’ protected health information, including social security numbers, and utilize appropriate administrative, physical, and technical safeguards.
The settlement requires The Arc of Erie County to implement a Corrective Action Plan that includes a thorough risk analysis of security risks and vulnerabilities of all electronic equipment and data systems and submit a report of those findings to the Attorney General’s Office within 180 days of the settlement. The organization must also review and revise its policies and procedures based on the results of the assessment and notify the Attorney General’s Office of any action it takes. If no action is taken, the company must provide a written detailed explanation of why no action is necessary. Finally, the organization will pay a $200,000 penalty to the State.
This case was handled by Bureau of Internet and Technology Deputy Bureau Chief Clark Russell, under the supervision of Bureau Chief Kim Berger. The Bureau of Internet and Technology is overseen by Executive Deputy Attorney General for Economic Justice Manisha M. Sheth.