Western NY Nonprofit Fined For Exposing Clients’ Personal Information Online
Attorney General Barbara D. Underwood announced last week a settlement with The Arc of Erie County, a Buffalo-based nonprofit that provides services to people with developmental disabilities and their families, after determining that the company exposed clients’ sensitive personal information on the internet for years. The settlement requires The Arc of Erie County to conduct a thorough risk analysis of security risks and vulnerabilities of all electronic equipment and data systems, review its policies and procedures, and pay a $200,000 penalty.
“The Arc of Erie County’s work serves our most vulnerable New Yorkers – and that comes with the responsibility to protect them and their sensitive personal information,” said Attorney General Underwood. “This settlement should provide a model to all charities in protecting their communities’ personal information online.” The Arc of Erie County is a chapter of The Arc New York –- a national community-based organization advocating for and serving people with intellectual developmental disabilities.
In early February 2018, The Arc of Erie County received a tip from the public that its clients’ personal information was exposed on its website – including full names, social security numbers, gender, race, primary diagnosis codes, IQs, insurance information, addresses, phone numbers, dates of birth, and ages. In a subsequent report, a forensic investigator found that the information was publicly available on the internet from July 2015 to February 2018 and affected 3,751 clients residing in New York. The report confirmed that, upon searching the internet with any search engine, a results page would include links to spreadsheets with clients’ sensitive information. The open web page was intended only for internal use and was supposed to be protected by a log-in requirement.
In March, The Arc of Erie County formally notified affected clients that the organization had inadvertently disclosed their sensitive information. It also provided the aggrieved clients with a free one-year subscription to LifeLock to protect themselves from identity theft.
Pursuant to the federal Health Insurance Portability Accountability Act, as amended by the Health Information Technology for Economic and Clinical Health Act (“HIPAA”), The Arc of Erie County is required to safeguard patients’ protected health information, including social security numbers, and utilize appropriate administrative, physical, and technical safeguards.
The settlement requires The Arc of Erie County to implement a Corrective Action Plan that includes a thorough risk analysis of security risks and vulnerabilities of all electronic equipment and data systems and submit a report of those findings to the Attorney General’s Office within 180 days of the settlement. The organization must also review and revise its policies and procedures based on the results of the assessment and notify the Attorney General’s Office of any action it takes. If no action is taken, the company must provide a written detailed explanation of why no action is necessary. Finally, the organization will pay a $200,000 penalty to the State.
For a thorough risk analysis of your organization's security risks and vulnerabilities, conatct HIPAAcraticRx.