Even Minimal Exposure Can Result In Huge Fines
Posted by aonenetworks On October 19, 2017Data security is no laughing matter, and even small exposures can lead to hefty fines, no matter the size of your company.
Last year, the federal government sent shockwaves through the industry when they began an aggressive campaign of investigating and punishing companies for HIPAA infractions, logging more than a dozen high profile settlements.
While it’s true that this particular case did not involve a HIPAA violation, it has much in common with the hefty fines the federal government has been levying as of late for even small HIPAA infractions. This particular incident revolved around a spreadsheet which contained personal data on 660 ACA enrollees in the state of Vermont.
The spreadsheet was on a remote server managed by Samanage USA, a small North Carolina-based IT support service, and was improperly secured, allowing for unauthorized access to it.
As it happened, one of the people on the spreadsheet was doing a Google search of her own name and came across the entry in a search result. When she saw it, she immediately notified the state’s Attorney General, which prompted a formal investigation.
The search result was traced back to Amazon’s Web Services platform, and then to Samanage. An Amazon engineer emailed Samanage to inform them that it had PII improperly secured and publicly accessible, and asked them to remove it.
Samanage began an investigation of their own, found the problem and promptly corrected it, but failed to inform their client company, WEX Health about the breach.
Ultimately, this is what got Samanage in trouble. According to the settlement, the $264,000 fine was levied specifically for not notifying the proper authorities that the breach had occurred, which, under Vermont state law, included WEX Health.
The reason that this was not seen as a HIPAA breach was that Samanage was a subcontractor for the information services provider to a health plan offered through the ACA’s marketplace. As such, they were designated as a non-covered entity where HIPAA privacy, security and breach notification rules were concerned.
Imagine how much bigger the fine would have been if they had been in violation. A sobering thought indeed.