Samanage USA, a Cary, N.C.-based technology company, will pay $264,000 to Vermont and implement an information security program as part of a settlement to resolve allegations the company failed to protect personally identifiable information in the state's healthcare exchange, Bloomberg BNA reports.
Vermont hired the third-party vendor Samanage to provide support services as a subcontractor for its exchange, Vermont Health Connect. WEX Health, a contractor to Vermont, used Samanage's cloud-based IT support services to manage the IT help desk and maintenance tasks.
In summer 2016, a Bing webcrawler discovered the URL to a Microsoft Excel spreadsheet of 660 names and Social Security numbers belonging to Vermont Health Connect users. Bing reportedly incorporated this spreadsheet, which was publicly available online without adequate authentication procedures, into search results.
A Vermont citizen notified the state's attorney general's office of the breach. An investigation into the incident found the "breach would have gone unreported" because of "a miscommunication within the company," the attorney general's office said in a Sept. 29 statement.
Ryan Van Biljon, vice president of sales and services at Samanage, told Bloomberg BNA the company "worked diligently with the AG of Vermont to comply with all of their requests" related to the settlement.