#1227401: NY: Arc of Erie County fined $200,000 for online security breach
Jonathan D. Epstein has an update to a breach originally reported in March of this year.
The Arc of Erie County – a nonprofit social services agency formally known as Heritage Centers – will pay a $200,000 fine to the state, review its policies and analyze its potential electronic security risks after a breach of client information on its website exposed names, Social Security numbers and other confidential data to public viewing over a period of 31 months.
The Buffalo-based agency, which serves people with intellectual and developmental disabilities, agreed to the settlement with the State Attorney General’s office, which requires the agency to conduct a “thorough risk analysis of security risks and vulnerabilities of all electronic equipment and data systems,” and report back within 180 days. It must also study and revise its procedures based on that assessment, and then notify the state if it takes action or why no action was necessary.
Read more on The Buffalo News.
Statement by NYS AG Barbara Underwood:
BUFFALO – Attorney General Barbara D. Underwood today announced a settlement with The Arc of Erie County, a Buffalo-based nonprofit that provides services to people with developmental disabilities and their families, after finding that the company exposed clients’ sensitive personal information on the internet for years. The settlement requires The Arc of Erie County to conduct a thorough risk analysis of security risks and vulnerabilities of all electronic equipment and data systems, review its policies and procedures, and pay a $200,000 penalty.
“The Arc of Erie County’s work serves our most vulnerable New Yorkers – and that comes with the responsibility to protect them and their sensitive personal information,” said Attorney General Underwood. “This settlement should provide a model to all charities in protecting their communities’ personal information online.”
The Arc of Erie County, formerly known as Heritage Centers, is a chapter of The Arc New York – a national community-based organization advocating for and serving people with intellectual developmental disabilities. The company maintains a principal business address in Buffalo, and serves clients throughout the Western New York area.
In early February 2018, The Arc of Erie County received a tip from the public that its clients’ personal information was exposed on its website – including full names, social security numbers, gender, race, primary diagnosis codes, IQs, insurance information, addresses, phone numbers, dates of birth, and ages.
In a subsequent report, a forensic investigator found that the information was publically available on the internet from July 2015 to February 2018 and affected 3,751 clients residing in New York. The report confirmed that, upon searching the internet with any search engine, a results page would include links to spreadsheets with clients’ sensitive information. The open webpage was intended only for internal use and was supposed to be protected by a log-in requirement. The report also found that unknown individuals outside the country accessed the links with the sensitive information on many occasions. There was no evidence of malware or other malicious software on the system or any ongoing communications with outside IP addresses.
|Date added||Aug. 30, 2018, 6:50 a.m.|