At the end of April, this site reported a breach at PaperlessPay that put its clients’ employees at risk of tax refund fraud and identity theft.
As reported at the time, PaperlessPay had been contacted by Homeland Security on February 19 to alert them that someone was offering access to their clients’ data for sale on the dark web. In response, PaperlessPay shut down its SQL server immediately and started investigating. They discovered that someone had gained access to their server on February 18, although they couldn’t determine precisely what data might have been accessed or copied.
PaperlessPay began notifying its clients on March 20. DataBreaches.net began updating the original post as this site became aware of clients notifying their employees of the incident.
But this week, DataBreaches.net spotted a notification from Emanate Health to the California Attorney General’s Office and wondered why this notification was so late. If PaperlessPay had notified Emanate on March 20, why were employees first being notified at the end of July?
In response to inquiries from DataBreaches.net, Emanate Health’s Chief Marketing & Communications Officer provided a timeline of their incident response. Their chronology confirmed that PaperlessPay had notified them of the incident on March 20.
However, that communication from PaperlessPay only indicated that Emanate Health employees’ information may have been compromised through the breach, and provided no detail regarding the identities of the employees whose information may have been compromised. After repeated attempts to obtain further detail, including through the involvement of legal counsel, Emanate Health finally received information from PaperlessPay indicating which employees’ information was compromised on June 26, 2020, at which time it understood its obligation to report the breach to potentially impacted employees.
That Emanate Health had to involve legal counsel to get the information they needed from PaperlessPay to notify their employees is disturbing. If PaperlessPay was unable to make that determination in a timely fashion, should they have just bit the financial bullet and offered to pay for credit monitoring services for all of Emanate’s employees who had data stored on their server?
Once Emanate Health obtained the information on June 26, they
then immediately conducted its review of the reporting obligations stemming from the breach that occurred at PaperlessPay. On July 29, 2020, Emanate Health satisfied its reporting obligation to the California Attorney General and all potentially affected employees residing in the State.
Other than assuming the worst, I really cannot see what else Emanate could have done.
This is the second breach this week where I have had significant concerns about third-party firms not providing their customers with the information or answers they need to meet their obligations to their employees or others. The second case is the Blackbaud breach, where some entities are complaining that Blackbaud isn’t answering their questions and they do not believe Blackbaud’s assurances.
I realize that large systems or organizations have tons of third-party vendors and contracts, but would it be a good time to start reviewing contracts with an eye towards what your vendor must provide and by when in the event of a breach — and contingencies if they cannot provide the information because it cannot be determined?
In the meantime, Emanate informs DataBreaches.net that they are currently assessing their options and evaluating other potential vendors at this time.