The Arc of Erie County – a nonprofit social services agency formally known as Heritage Centers – will pay a $200,000 fine to the state, review its policies and analyze its potential electronic security risks after a breach of client information on its website exposed names, Social Security numbers and other confidential data to public viewing over a period of 31 months.
The Buffalo-based agency, which serves people with intellectual and developmental disabilities, agreed to the settlement with the State Attorney General's office, which requires the agency to conduct a "thorough risk analysis of security risks and vulnerabilities of all electronic equipment and data systems," and report back within 180 days. It must also study and revise its procedures based on that assessment, and then notify the state if it takes action or why no action was necessary.
Arc officials received a tip from the public in early February 2018 that clients' personal information was accessible on its website, including gender, race, diagnosis codes, insurance information, dates of birth, ages, addresses and phone numbers.
A forensic investigator found that information for 3,751 clients in New York was publicly available from July 2015 to February 2018. An online search would bring up a "results page" with links to spreadsheets containing sensitive information, which were intended for internal use only with log-in protection. But the investigator found "unknown individuals" outside the United States had accessed the links "on many occasions."
The agency notified clients of the breach on March 9, 2018, and posted notices both online and in The Buffalo News.