New York, NY – August 29, 2018 – Attorney General Barbara D. Underwood today announced a settlement with The Arc of Erie County, a Buffalo-based nonprofit that provides services to people with developmental disabilities and their families, after finding that the company exposed clients’ sensitive personal information on the internet for years. The settlement requires The Arc of Erie County to conduct a thorough risk analysis of security risks and vulnerabilities of all electronic equipment and data systems, review its policies and procedures, and pay a $200,000 penalty.
“The Arc of Erie County’s work serves our most vulnerable New Yorkers – and that comes with the responsibility to protect them and their sensitive personal information,” said Attorney General Underwood. “This settlement should provide a model to all charities in protecting their communities’ personal information online.”
The Arc of Erie County, formerly known as Heritage Centers, is a chapter of The Arc New York – a national community-based organization advocating for and serving people with intellectual developmental disabilities. The company maintains a principal business address in Buffalo, and serves clients throughout the Western New York area.
In early February 2018, The Arc of Erie County received a tip from the public that its clients’ personal information was exposed on its website – including full names, social security numbers, gender, race, primary diagnosis codes, IQs, insurance information, addresses, phone numbers, dates of birth, and ages.
In a subsequent report, a forensic investigator found that the information was publically available on the internet from July 2015 to February 2018 and affected 3,751 clients residing in New York. The report confirmed that, upon searching the internet with any search engine, a results page would include links to spreadsheets with clients’ sensitive information. The open webpage was intended only for internal use and was supposed to be protected by a log-in requirement. The report also found that unknown individuals outside the country accessed the links with the sensitive information on many occasions. There was no evidence of malware or other malicious software on the system or any ongoing communications with outside IP addresses.
On or about March 9, 2018, The Arc of Erie County formally notified affected clients in New York that the organization had inadvertently disclosed their sensitive information. It also provided the aggrieved clients with a free one-year subscription to LifeLock to protect themselves from identity theft. The organization also posted a link to information regarding the breach on its website and a notice in the Buffalo News on March 14, 2018.
Pursuant to the federal Health Insurance Portability Accountability Act, as amended by the Health Information Technology for Economic and Clinical Health Act (“HIPAA”), The Arc of Erie County is required to safeguard patients’ protected health information, including social security numbers, and utilize appropriate administrative, physical, and technical safeguards.
The settlement requires The Arc of Erie County to implement a Corrective Action Plan that includes a thorough risk analysis of security risks and vulnerabilities of all electronic equipment and data systems and submit a report of those findings to the Attorney General’s Office within 180 days of the settlement. The organization must also review and revise its policies and procedures based on the results of the assessment and notify the Attorney General’s Office of any action it takes. If no action is taken, the company must provide a written detailed explanation of why no action is necessary. Finally, the organization will pay a $200,000 penalty to the State.
This case was handled by Bureau of Internet and Technology Deputy Bureau Chief Clark Russell, under the supervision of Bureau Chief Kim Berger. The Bureau of Internet and Technology is overseen by Executive Deputy Attorney General for Economic Justice Manisha M. Sheth.