Vermont Health Connect Data Breach (2016)

The Attorney General reached a settlement (link is external) today regarding a security breach involving the Social Security numbers of 660 Vermont Health Connect users. SAManage USA, Inc, a technology company that provides business-support services, agreed to alter its information security and legal compliance programs and to pay a penalty of $264,000. In July 2016, SAManage’s IT ticketing system allowed an excel spreadsheet containing the 660 social security numbers to be viewed publicly without requiring authentication. A Microsoft Bing web crawler discovered the URL of the spreadsheet and incorporated it into its search results, where it was found by a Vermonter, who reported the breach to the Attorney General. The Attorney General then investigated the SAManage breach. It appeared that due to a miscommunication within the company, this breach would have gone unreported were it not for the Attorney General’s intervention.