Vermont Health Connect subcontractor put 659 social security numbers online

Follow Town Meeting Day across Vermont. Results, ballot questions and community decisions delivered each morning.

Email

Δ

[T]he names and social security numbers of 659 Vermont Health Connect customers were posted on the Internet because of a billing subcontractor’s error.

A customer identified the security breach in June when she Googled herself, according to Sean Sheehan, the spokesperson for Vermont Health Connect, who said the customer might have been the only person to see the information.

The customer called the Vermont Attorney General’s office. The office worked with Samanage, a subcontractor for Vermont Health Connect’s main biller, WEX Inc. (formerly Benaissance) to address the privacy issue.

Sheehan said the state found out about the privacy issue on Sept. 23 and reported it to the federal government on Sept. 24, which was a Saturday. The state also directed WEX to send a letter to the 659 affected customers telling them about the event, he said.

Sheehan said the state expects all contractors and subcontractors to meet strict federal regulations on privacy. WEX has hired a forensics investigator to determine how the security breach happened and whether the customer was the only person who saw the information.

“We informed the 659 consumers who may have been affected,” WEX said in a statement. “Access to this data has been disabled. At this time, we have no reason to believe that the personal information was accessed in an unauthorized manner.”

Sheehan said: “We expect WEX to put together a mitigation plan, both to ensure that a violation does not happen again as well as a remediation plan to ensure that Vermonters are taken care of.”

“I don’t know at this point what the steps or the details of that mitigation and remediation plan will be and whether it will involve Samanage continuing to work in the future,” he said.

Sheehan advised that affected customers obtain a free credit report to see if the information breach caused any problems with their credit. Most credit rating agencies offer one free credit check per year, and the letter includes phone numbers of credit rating agencies, he said.

Sheehan said the state expects WEX to rectify any issue with a person’s credit report as a result of the data breach. In the event that a customer has already used their free credit check this year, he said the state expects WEX to pay for that report.

“It’s obviously inconvenient to take time out of your day to call and request a free credit report, although it’s something we should all do on a regular basis,” Sheehan said.