On September 9, Chris Vickery (previously referred to as “TE” in earlier coverage) notified the KDHE that what appeared to be the entire Kansas State Self Insurance Fund SIMS database was exposed online, as were databases from other agencies and organizations. KDHE immediately notified Systema Software, who promptly secured the leaking files. Vickery also contacted DataBreaches.net, who reported on the leak and the extensive amount of sensitive personal, financial, and medical information that had been exposed.
Today, Salt Lake County issued a statement about the incident that provides some additional details.
Salt Lake County, UT— On September 9, 2015, Salt Lake County learned that the personal information of some individuals who filed workers’ compensation or third-party claims with the County, may have been temporarily accessible via the Internet from June 18, 2015 to September 9, 2015. This occurred during a scheduled upgrade by a software services company retained by the County. No County system was affected or involved.
Immediately upon learning of the incident, the County began taking steps to ensure that the source of the incident was identified. We have preliminary notification from an independent entity that the data has been secured. The County is continuing its investigation and is cooperating with all involved parties.
Since we became aware of this incident, the County’s primary concern has been the privacy and protection of any personal information which may have been accessed. We are working to identify potentially affected individuals. The County will notify and offer appropriate services to those affected. At present, we have no evidence of the misuse of any personal information.
We deeply regret any inconvenience or concern this incident may cause and want to assure our employees and the public that the County is taking steps to remedy this situation and prevent this type of incident from occurring in the future. The County is conducting a thorough review of its data security oversight procedures to ensure our third-party vendors have the proper security measures in place.
So the data were exposed for almost three months and might have been exposed for longer if not for the fact that Chris Vickery discovered the leak and responsibly reported it to the impacted clients. (See update, below post: the exposure may have been for even longer according to Chris Vickery).
But have any of the individuals whose personal, health, and/or financial information was exposed been notified? It doesn’t appear that they have been – yet. Nor do we have any figures from Systema as to how many unique individuals had their information exposed and how many records were exposed, although according to Vickery, this was a large leak. Systema continues to investigate the incident with the help of an external forensics company that they brought in, but whether they will ever publicly reveal the total number impacted remains to be seen.
What Systema has said is that they see no need to provide credit monitoring services. According to a statement from Systema reported by Joseph Conn of Modern Healthcare, no credit monitoring will be offered because
“The Texas attorney general has secured the hard drive and, as an added measure of protection, this individual has provided written confirmation to the (AG) that he has not shared or used the data inappropriately,” Systema said. “We have no indication that any data has been used inappropriately or accessed by anyone outside of this one individual, and presently do not believe there is a need for credit monitoring or identify theft services as they relate to this issue.”
But my understanding is that under most states’ data breach notification laws, individuals will still need to be notified because someone did access (and download) their data – Vickery – and most state laws do not make an exemption for data accessed without authorization by a white hat. Many states will allow for public notice if the cost of individual notification would be prohibitive, but there still needs to be notification of individuals that an incident occurred – unless the state law has a risk of harm standard or threshold.
As I’ve pointed out on Twitter, note that even though there’s a lot of health/medical information exposed in this incident, workers’ compensation and liability insurance claims are not covered by HIPAA. Unless one of these client agencies is a HIPAA-covered entity for other reasons, it’s likely that we will not see reports to HHS.
So the question is: will FTC investigate this? It seems pretty obvious that an error was made, but given that the incident created a risk of significant injury to consumers, should we be asking whether the software firm had reasonable data security policies and practices in place? Or should we just say, “Mistakes happen. Nothing to really see here. Move along.”?
Update1: After reading this post, Chris Vickery contacted this site about the start date of the data leak. He informs DataBreaches.net that June 18th was the start date when Salt Lake County‘s specific database started being migrated. “That’s absolutely not the start of the Systema data exposure. That’s only the start of Salt Lake County’s data exposure,” Chris writes. Hopefully Systema Software will disclose the actual (earliest) date of exposure.