An error by a contractor has caused a Systema Software data breach that exposed the confidential data of upwards of 1.5 million individuals.
Data exposed in the Systema Software data breach included names and other personal information, Social Security numbers, unique client and claimant ID numbers. The data related to medical services provided, treatment dates, billing amounts, insurance claim information, police reports, and details of authorized and rejected insurance claims.
Data breaches are often discovered by the entity in question, but in this case it was a tech enthusiast, Chris Vickery, who discovered that a colossal amount of highly sensitive data was freely available via Amazon Web Services. Out of curiosity he downloaded some of the data to his computer. When he realized the contents of the files, he started contacting the companies mentioned in the files to alert them to the security breach. He also notified databreaches.net about his discovery.
Vickery told Databreaches.net “There were a minimum of 1.5 million individuals who had personal details exposed, probably 1 million SSNs, more than 5 million financial transactions detailed, over 1000 entities that had data exposed, and hundreds of thousands of injury reports. Not all entities are necessarily clients of the software firm.” He also said, “Tons of financial transaction data. Bank accounts with routing numbers, check numbers, amounts, dates… and not everyone is a client. Any person or company that got paid-out is at least mentioned.”
Systema had numerous HIPAA-covered entities among its clients, and was employed by a number of U.S companies to process their insurance claims. One of the companies that had data exposed in the incident was the Kansas State Self Insurance Fund. Over 1 million of its confidential records were estimated to have been accidentally posted to the cloud. CSAC Excess Insurance Authority (CSAC-EIA) was also affected, having approximately 570,000 records exposed, as well as 4.7 million notepad files and approximately 3 million payment entries. A number of other clients were reportedly affected.
After Vickery contacted clients affected by the Systema Software data breach, investigations into the security incident were swiftly initiated. According to the Kansas Department of Health and Environment, files were rapidly taken offline to prevent the data being downloaded by any other individual. It is not clear whether any other person was able to gain access to the data, and whether any information is still out in the open. However, the Kansas Department of Health and Environment issued a statement saying “We have worked with our contractor to determine what information was available and to whom it was available. We are confident that all identities remain safe and confidential.”
Systema Software also investigated the breach to determine how its data had been uploaded to the cloud. Systema Software CEO, Danny Smith, replied to an email sent by Vickery saying, “Our clients are looking for confirmation that you have not shared their data with anyone else, will not share it, and will delete it.” Vickery confirmed that that was the case, and has subsequently received assistance from the Texas Attorney general to make sure all traces of data are permanently erased from his computer hard drive.