Earlier this year, someone accessed a Sangamo Therapeutics executive's company email and, for the next 11 weeks, was able to access sensitive and secret information on the company and, potentially, its partners, according to a Tuesday securities filing.
After Sangamo discovered the email breach March 28, an "incident response team" investigated, and while there's no evidence personal patient information leaked out, the same can't be said about Sangamo's own info.
“[P]roprietary, confidential and other sensitive information of the company and other entities was accessed and may have been compromised as a result of the incident,” Sangamo disclosed in its SEC filing.
Losing control of its own information is bad enough, of course, but breaking confidentiality promises to partners could be more immediately damaging. As Sangamo warned investors in the filing, its collaborators and strategic partners could potentially claim damages or terminate their contracts because of the breach.
The company has notified federal law enforcement about the incident, and its IT team, along with outside security experts, are continuing to comb its network and systems to determine whether any additional information was accessed.
Sangamo is currently recruiting patients in phase 1 and 2 trials for gene editing-based therapies and other treatments for hemophilia A and B, lysosomal storage disorders and beta thalassemia. The company is also developing products in oncology, Huntington’s and sickle cell disease, and collaborating with Pfizer, Shire, Bioverativ and others.
Last year, Sangamo signed a $70 million collaboration license agreement with Pfizer to develop gene therapies for hemophilia A. The deal could lead to payments and royalties of $475 million for approved medications.
Sangamo said it does not maintain cyber liability insurance and doesn't have any coverage for this type of data security incident. The company declined to elaborate further.
Data security threats can lead to costly cleanups when resolving interruptions in operations, in addition to legal fees, liabilities and fines of their own if sound precautions are not taken.
Following the global Petya cyberattack in the middle of last year, Merck & Co. reported at least $300 million in expenses and lost sales after having to slow or shut down its API manufacturing, formulation and packaging systems. Returning to full capacity took at least six months, the company said.
And earlier this month, a network of more than 50 New Jersey medical practices agreed to pay $418,000 to settle HIPAA claims brought by the state’s attorney general, following the leak of patient treatment records in January 2016. The AG said Virtua Medical Group had the obligation to protect its patients’ data, even though the information was exposed by its third-party transcription vendor.
Editor's Note: This story was updated with a response from Sangamo.