DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

More details emerge on Systema Software data leak (update1)

Posted on September 21, 2015 by Dissent

On September 9, Chris Vickery (previously referred to as “TE” in earlier coverage) notified the KDHE that what appeared to be the entire Kansas State Self Insurance Fund SIMS database was exposed online, as were databases from other agencies and organizations. KDHE immediately notified Systema Software, who promptly secured the leaking files. Vickery also contacted DataBreaches.net, who reported on the leak and the extensive amount of sensitive personal, financial, and medical information that had been exposed.

Today, Salt Lake County issued a statement about the incident that provides some additional details.

Salt Lake County, UT— On September 9, 2015, Salt Lake County learned that the personal information of some individuals who filed workers’ compensation or third-party claims with the County, may have been temporarily accessible via the Internet from June 18, 2015 to September 9, 2015. This occurred during a scheduled upgrade by a software services company retained by the County. No County system was affected or involved.

Immediately upon learning of the incident, the County began taking steps to ensure that the source of the incident was identified. We have preliminary notification from an independent entity that the data has been secured. The County is continuing its investigation and is cooperating with all involved parties.

Since we became aware of this incident, the County’s primary concern has been the privacy and protection of any personal information which may have been accessed. We are working to identify potentially affected individuals. The County will notify and offer appropriate services to those affected.  At present, we have no evidence of the misuse of any personal information.

We deeply regret any inconvenience or concern this incident may cause and want to assure our employees and the public that the County is taking steps to remedy this situation and prevent this type of incident from occurring in the future. The County is conducting a thorough review of its data security oversight procedures to ensure our third-party vendors have the proper security measures in place.

So the data were exposed for almost three months and might have been exposed for longer if not for the fact that Chris Vickery discovered the leak and responsibly reported it to the impacted clients. (See update, below post: the exposure may have been for even longer according to Chris Vickery).

But have any of the individuals whose personal, health, and/or financial information was exposed been notified? It doesn’t appear that they have been – yet. Nor do we have any figures from Systema as to how many unique individuals had their information exposed and how many records were exposed, although according to Vickery, this was a large leak. Systema continues to investigate the incident with the help of an external forensics company that they brought in, but whether they will ever publicly reveal the total number impacted remains to be seen.

What Systema has said is that they see no need to provide credit monitoring services. According to a statement from Systema reported by Joseph Conn of  Modern Healthcare, no credit monitoring will be offered  because

“The Texas attorney general has secured the hard drive and, as an added measure of protection, this individual has provided written confirmation to the (AG) that he has not shared or used the data inappropriately,” Systema said. “We have no indication that any data has been used inappropriately or accessed by anyone outside of this one individual, and presently do not believe there is a need for credit monitoring or identify theft services as they relate to this issue.”

But my understanding is that under most states’ data breach notification laws, individuals will still need to be notified because someone did access (and download) their data – Vickery – and most state laws do not make an exemption for data accessed without authorization by a white hat. Many states will allow for public notice if the cost of individual notification would be prohibitive, but there still needs to be notification of individuals that an incident occurred – unless the state law has a risk of harm standard or threshold.

As I’ve pointed out on Twitter, note that even though there’s a lot of health/medical information exposed in this incident, workers’ compensation and liability insurance claims are not covered by HIPAA. Unless one of these client agencies is a HIPAA-covered entity for other reasons, it’s likely that we will not see reports to HHS.

So the question is: will FTC investigate this? It seems pretty obvious that an error was made, but given that the incident created a risk of significant injury to consumers, should we be asking whether the software firm had reasonable data security policies and practices in place? Or should we just say, “Mistakes happen. Nothing to really see here. Move along.”?

Update1: After reading this post, Chris Vickery contacted this site about the start date of the data leak. He informs DataBreaches.net that June 18th was the start date when Salt Lake County‘s specific database started being migrated. “That’s absolutely not the start of the Systema data exposure. That’s only the start of Salt Lake County’s data exposure,” Chris writes. Hopefully Systema Software will disclose the actual (earliest) date of exposure.

 

Related posts:

  • Oops! Error by Systema Software exposes millions of records with insurance claims data and internal notes (Update3)
  • uKnowKids database exposed personal and location info of 1,740 kids (Update1)
  • Misconfigured database may have exposed 1.5 million individuals’ PHI: researcher (UPDATE2)
  • Swing and a miss? Topps apps database leaked fans’ info
Category: Business SectorMiscellaneousSubcontractorU.S.

Post navigation

← Former Morgan Stanley adviser pleads guilty to stealing clients’ information
Ca: APEGA database breached affecting 75,000 members →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Horizon Healthcare RCM discloses ransomware attack in December
  • Disgruntled IT Worker Jailed for Cyber Attack, Huddersfield
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Texas Centers for Infectious Disease Associates Notifies Individuals of Data Breach in 2024
  • Battlefords Union Hospitals notifies patients of employee snooping in their records
  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Supreme Court Decision on Age Verification Tramples Free Speech and Undermines Privacy
  • New Jersey Issues Draft Privacy Regulations: The New
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.