The Arc of Erie County, a Buffalo, N.Y.-based nonprofit that serves people with developmental disabilities, agreed to pay a $200,000 penalty to the state of New York to resolve allegations it violated HIPAA in a yearslong data breach.
As part of the settlement, Arc of Erie County is required to conduct a thorough risk analysis of vulnerabilities of all electronic equipment and data systems, as well as review its policies and procedures. It must submit a report on its findings to the Attorney General's Office within 180 days of the settlement.
"The Arc of Erie County's work serves our most vulnerable New Yorkers — and that comes with the responsibility to protect them and their sensitive personal information," New York Attorney General Barbara Underwood said in a news release. "This settlement should provide a model to all charities in protecting their communities' personal information online."
In early February 2018, Arc of Erie County learned clients' personal information — including full names, Social Security numbers, gender, race, primary diagnosis codes, IQ scores, insurance information, addresses, phone numbers, dates of birth and ages — was exposed on its website.
An investigation determined the information had been publicly accessible in spreadsheets since July 2015 and 3,751 clients were affected. The webpage was intended only for internal use, but the investigation noted several unauthorized third parties accessed the datasets on numerous occasions. Officials said there is no evidence of malware on the system or ongoing communications with outside IP addresses.
The organization notified all affected individuals in March, and it offered them one year of free identity theft protection services.