Skip to main content

Even Minimal Exposure Can Result In Huge Fines

By October 19, 2017June 21st, 2022Technology News

Data security is no laughing matter, and even small exposures can lead to hefty fines, no matter the size of your company.

Last year, the federal government sent shockwaves through the industry when they began an aggressive campaign of investigating and punishing companies for HIPAA infractions, logging more than a dozen high profile settlements.

While it’s true that this particular case did not involve a HIPAA violation, it has much in common with the hefty fines the federal government has been levying as of late for even small HIPAA infractions. This particular incident revolved around a spreadsheet which contained personal data on 660 ACA enrollees in the state of Vermont.

The spreadsheet was on a remote server managed by Samanage USA, a small North Carolina-based IT support service, and was improperly secured, allowing for unauthorized access to it.

As it happened, one of the people on the spreadsheet was doing a Google search of her own name and came across the entry in a search result. When she saw it, she immediately notified the state’s Attorney General, which prompted a formal investigation.

The search result was traced back to Amazon’s Web Services platform, and then to Samanage. An Amazon engineer emailed Samanage to inform them that it had PII improperly secured and publicly accessible, and asked them to remove it.

Samanage began an investigation of their own, found the problem and promptly corrected it, but failed to inform their client company, WEX Health about the breach.

Ultimately, this is what got Samanage in trouble. According to the settlement, the $264,000 fine was levied specifically for not notifying the proper authorities that the breach had occurred, which, under Vermont state law, included WEX Health.

The reason that this was not seen as a HIPAA breach was that Samanage was a subcontractor for the information services provider to a health plan offered through the ACA’s marketplace. As such, they were designated as a non-covered entity where HIPAA privacy, security and breach notification rules were concerned.

Imagine how much bigger the fine would have been if they had been in violation. A sobering thought indeed.

Jason Manteiga

Jason J. Manteiga, Vice President of Olmec Systems, has been part of the company for over the past 20 years. He believes that having a great work environment and supportive team, is the ultimate key to success. Since being in the IT realm for over 25 years, Jason, along with Olmec Systems, has been on the Inc. 5000 “List of America’s Fastest Growing Private Companies” and Channel Futures MSP 501 “Top Managed Service Providers in North America,” along with other awards and nominations. Jason earned his Bachelor Degree in Information Systems from the New Jersey Institute of Technology. He also holds certifications in Microsoft MCSE, VMWare VCP, and Cisco CCNA. In his spare time, Jason is a contributor for The Center for Social & Legal Research (Privacy Exchange) and a member of the Morris County Chamber of Commerce. His hobbies include cycling and kayaking. He currently lives in New Jersey with his wife, two daughters and son.