ALBANY, N.Y. (Legal Newsline) – The New York attorney general has reached a settlement with a Buffalo nonprofit, The Arc of Erie County, to resolve allegations the charity exposed the personal information of clients online for several years.
According to New York State Attorney General Barbara Underwood's office, client information, including Social Security numbers, gender, age, race, insurance and primary diagnosis codes were available online at the Arc's website from July 2015 through February 2018.
The information could be found through a search engine that gave a results page with links to spreadsheets with clients' personal information, the Attorney General's Office said.
In March 2018, The Arc notified clients in New York regarding their personal information and gave clients a free one-year subscription to LifeLock as well as posted information on its website and in the Buffalo News, according to the attorney general's office.
The Federal Health Insurance Portability Accountability Act requires The Arc to take physical and technical safeguards to protect its clients' health and personal information, the attorney general's office said.
According to the settlement agreement, The Arc will pay a $200,000 penalty and will be required to implement a Corrective Action Plan including a risk analysis of all electronic equipment security risks and vulnerabilities.