CSAC-EIA Provides Notification Regarding Systema Software Incident

Nov 10, 2015, 17:00 ET from CSAC-EIA

FOLSOM, Calif., Nov. 10, 2015 /PRNewswire/ -- CSAC-Excess Insurance Authority (CSAC-EIA) is an insurance risk sharing program for California public entities such as cities, counties, and school districts.  CSAC-EIA provides claims management services on behalf of its members for worker's compensation, general liability, or medical malpractice claims. 

Systema Software is a third party service provider to CSAC-EIA that provides and hosts a website application for claims management.  Systema Software notified CSAC-EIA on September 9, 2015, that a security researcher contacted Systema Software because he had identified a configuration in the website application that allowed him to gain access to a temporary data backup of claims databases. Systema Software was able to immediately correct the permissions for the application and eliminate the issue.  After hearing about the researcher's access and learning that Systema Software had corrected the issue, CSAC-EIA immediately began an investigation of the report and confirmed that Systema Software had hired a computer security firm to ensure that the configuration issue was corrected and to determine the extent of the access.  Systema Software confirmed that the security researcher was the only unauthorized user to access the databases.  The security researcher, who lives in Texas, also contacted the Texas Attorney General and self-reported this issue.  The Texas Attorney General investigated the report and obtained an affidavit from the security researcher who stated under oath that: (1) he downloaded information from Systema Software's website application to an external hard drive; (2) he delivered the external hard drive to the Texas Attorney General; (3) the hard drive he turned over contains the only copy of the information he downloaded; and (4) he has not and will not engage in any unauthorized use of the information. 

Based on the investigation and the researcher's sworn statement, CSAC-EIA does not believe that any information from the databases was used for any unauthorized purpose.  However, CSAC-EIA wants to let individuals know about its investigation and the information maintained in the database, which may include (depending on the claim) the individual's name, address, Social Security number, driver's license number, and medical information such as medical status report or claim status correspondence.

CSAC-EIA regrets any inconvenience this incident may cause.  CSAC-EIA began mailing letters to individuals on November 10, 2015.  CSAC-EIA does not have address information for a small percentage of individuals whose information was in the database.  CSAC-EIA has established a dedicated call center for anyone who does not receive a letter but has made a claim against a California entity and believes his or her information may be included.  CSAC-EIA has also posted information on its website at www.csac-eia.org.  Individuals may also call 1-866-264-1049 Monday through Friday, 9am - 6pm PST.