Social services agency fined $200,000 for online data breach

The Arc Erie County New York will pay a $200,000 fine to the state after it was discovered earlier this year that client data was exposed on its website for nearly three years, Buffalo News reports.

The agency also must conduct an analysis of security risks and vulnerabilities in its electronic data systems and provide a report to the State Attorney General’s office within 180 days and revise its policies based on the analysis.

The Arc Erie County New York, formerly known as Heritage Centers, is part of a national nonprofit organization that provides support and services to children and adults with developmental disabilities. In February 2018, officials at the agency received a tip that clients’ personal information was accessible on its website, including the following:

• Addresses
• Ages
• Dates of birth
• Diagnosis codes
• Genders
• Insurance information
• Phone numbers
• Races
• Social Security numbers

An investigation found that the information of 3,751 clients had been publicly accessible from July 2015 to February 2018 via a link to spreadsheets that were intended to be accessible only by those with login credentials. Further, the investigator found that the spreadsheets had been accessed by individuals outside the U.S. on multiple occasions. The agency notified its clients of the breach on March 9, 2018, and cited a coding error as the cause.