DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

More details emerge on Systema Software data leak (update1)

Posted on September 21, 2015 by Dissent

On September 9, Chris Vickery (previously referred to as “TE” in earlier coverage) notified the KDHE that what appeared to be the entire Kansas State Self Insurance Fund SIMS database was exposed online, as were databases from other agencies and organizations. KDHE immediately notified Systema Software, who promptly secured the leaking files. Vickery also contacted DataBreaches.net, who reported on the leak and the extensive amount of sensitive personal, financial, and medical information that had been exposed.

Today, Salt Lake County issued a statement about the incident that provides some additional details.

Salt Lake County, UT— On September 9, 2015, Salt Lake County learned that the personal information of some individuals who filed workers’ compensation or third-party claims with the County, may have been temporarily accessible via the Internet from June 18, 2015 to September 9, 2015. This occurred during a scheduled upgrade by a software services company retained by the County. No County system was affected or involved.

Immediately upon learning of the incident, the County began taking steps to ensure that the source of the incident was identified. We have preliminary notification from an independent entity that the data has been secured. The County is continuing its investigation and is cooperating with all involved parties.

Since we became aware of this incident, the County’s primary concern has been the privacy and protection of any personal information which may have been accessed. We are working to identify potentially affected individuals. The County will notify and offer appropriate services to those affected.  At present, we have no evidence of the misuse of any personal information.

We deeply regret any inconvenience or concern this incident may cause and want to assure our employees and the public that the County is taking steps to remedy this situation and prevent this type of incident from occurring in the future. The County is conducting a thorough review of its data security oversight procedures to ensure our third-party vendors have the proper security measures in place.

So the data were exposed for almost three months and might have been exposed for longer if not for the fact that Chris Vickery discovered the leak and responsibly reported it to the impacted clients. (See update, below post: the exposure may have been for even longer according to Chris Vickery).

But have any of the individuals whose personal, health, and/or financial information was exposed been notified? It doesn’t appear that they have been – yet. Nor do we have any figures from Systema as to how many unique individuals had their information exposed and how many records were exposed, although according to Vickery, this was a large leak. Systema continues to investigate the incident with the help of an external forensics company that they brought in, but whether they will ever publicly reveal the total number impacted remains to be seen.

What Systema has said is that they see no need to provide credit monitoring services. According to a statement from Systema reported by Joseph Conn of  Modern Healthcare, no credit monitoring will be offered  because

“The Texas attorney general has secured the hard drive and, as an added measure of protection, this individual has provided written confirmation to the (AG) that he has not shared or used the data inappropriately,” Systema said. “We have no indication that any data has been used inappropriately or accessed by anyone outside of this one individual, and presently do not believe there is a need for credit monitoring or identify theft services as they relate to this issue.”

But my understanding is that under most states’ data breach notification laws, individuals will still need to be notified because someone did access (and download) their data – Vickery – and most state laws do not make an exemption for data accessed without authorization by a white hat. Many states will allow for public notice if the cost of individual notification would be prohibitive, but there still needs to be notification of individuals that an incident occurred – unless the state law has a risk of harm standard or threshold.

As I’ve pointed out on Twitter, note that even though there’s a lot of health/medical information exposed in this incident, workers’ compensation and liability insurance claims are not covered by HIPAA. Unless one of these client agencies is a HIPAA-covered entity for other reasons, it’s likely that we will not see reports to HHS.

So the question is: will FTC investigate this? It seems pretty obvious that an error was made, but given that the incident created a risk of significant injury to consumers, should we be asking whether the software firm had reasonable data security policies and practices in place? Or should we just say, “Mistakes happen. Nothing to really see here. Move along.”?

Update1: After reading this post, Chris Vickery contacted this site about the start date of the data leak. He informs DataBreaches.net that June 18th was the start date when Salt Lake County‘s specific database started being migrated. “That’s absolutely not the start of the Systema data exposure. That’s only the start of Salt Lake County’s data exposure,” Chris writes. Hopefully Systema Software will disclose the actual (earliest) date of exposure.

 


Related:

  • Government will 'robustly defend' compensation claims from Afghans put at risk by data breach
  • Authorities released free decryptor for Phobos and 8base ransomware
  • Singapore Facing ‘Serious’ Cyberattack by Espionage Group With Alleged China Ties
  • Missouri Adopts New Data Breach Notice Law
  • Qantas obtains injunction to prevent hacked data’s release
  • Ransomware attack disrupts Korea's largest guarantee insurer
Category: Business SectorMiscellaneousSubcontractorU.S.

Post navigation

← Former Morgan Stanley adviser pleads guilty to stealing clients’ information
Ca: APEGA database breached affecting 75,000 members →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Government will ‘robustly defend’ compensation claims from Afghans put at risk by data breach
  • Authorities released free decryptor for Phobos and 8base ransomware
  • Singapore Facing ‘Serious’ Cyberattack by Espionage Group With Alleged China Ties
  • Missouri Adopts New Data Breach Notice Law
  • Qantas obtains injunction to prevent hacked data’s release
  • Ransomware attack disrupts Korea’s largest guarantee insurer
  • Theft from Glasgow’s Queen Elizabeth University Hospital sparks probe
  • Global operation targets NoName057(16) pro-Russian cybercrime network in Operation Eastwood
  • More than 100 British government personnel exposed by Ministry of Defence data leak
  • New TeleMessage SGNL Flaw Is Actively Being Exploited by Attackers

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • 𝐔𝐠𝐚𝐧𝐝𝐚 𝐨𝐫𝐝𝐞𝐫𝐬 𝐆𝐨𝐨𝐠𝐥𝐞 𝐭𝐨 𝐫𝐞𝐠𝐢𝐬𝐭𝐞𝐫 𝐚𝐬 𝐚 𝐝𝐚𝐭𝐚‑𝐜𝐨𝐧𝐭𝐫𝐨𝐥𝐥𝐞𝐫 𝐰𝐢𝐭𝐡𝐢𝐧 𝟑𝟎 𝐝𝐚𝐲𝐬 𝐚𝐟𝐭𝐞𝐫 𝐥𝐚𝐧𝐝𝐦𝐚𝐫𝐤 𝐩𝐫𝐢𝐯𝐚𝐜𝐲 𝐫𝐮𝐥𝐢𝐧𝐠.
  • Meta investors, Zuckerberg reach settlement to end $8 billion trial over Facebook privacy violations
  • ICE is gaining access to trove of Medicaid records, adding new peril for immigrants
  • Microsoft can’t protect French data from US government access
  • Texas Enacts Electronic Health Record Data Localization Law
  • Upstate NY county clerk again refuses to enforce Texas abortion judgment
  • Attorney General James Leads Coalition Urging Congress to Protect Americans from Masked ICE Agents

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.