The Attorney Generals of a dozen states have filed a lawsuit against Medical Informatics Engineering, a healthcare software and systems developer and NoMoreClipboard, an electronic platform for personal health records. The lawsuit is over the 2015 data breach that compromised the protected health information (PHI) of 3.9 million individuals.
The breach of occurred between May 7 and May 26, 2015. Hackers were able to gain access to Medical Informatics Engineering’s WebChart electronic health record system and highly sensitive patient information such as names, addresses, dates of birth, Social Security numbers, and health information were accessed.
Curtis Hill, the Indiana Attorney General Curtis Hill, is leading the lawsuit. The AGs of Arizona, Arkansas, Florida, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina and Wisconsin are also involved.
This is the first instance of a multi-state federal lawsuit over a data breach caused by violations of the Health Insurance Portability and Accountability Act (HIPAA). The lawsuit seeks a financial judgement, civil penalties, and the adoption of a corrective action plan to address all compliance failures.
In the lawsuit, the plaintiffs allege that Medical Informatics Engineering failed to implement adequate safeguards to protect its computer systems and sensitive patient data, as required by HIPAA Rules. It is claimed that as a direct result of this negligence, a preventable data breach occurred. According to the lawsuit, “Defendants failed to implement basic industry-accepted data security measures to protect individual’s health information from unauthorized access.”
The cause of the breach was attributed to hackers accessing information through user accounts with easily crackable names and passwords. Medical Informatics Engineering had set two ‘tester’ accounts, one of which could be accessed with the username and password ‘tester’ and the other with the username and password ‘testing.’ Both accounts could be accessed remotely without the need for any further proof of identity or access controls, such as two-step authentication.
The lawsuit alleges Medical Informatics Engineering was aware of the security issue as the accounts were identified as high risk by a third-party penetration testing firm, Digital Defense, in January 2015. Even though the accounts were high risk, Medical Informatics Engineering failed to terminate these accounts. The accounts were set up to enable one of its healthcare provider clients to login without having to use unique usernames and passwords.
The “tester” and “testing” accounts did not have privileged access to private patient information. However, by accessing these accounts, the hackers gain a foothold in the network and perform further manipulations to access data. Through those accounts the attackers conducted an SQL injection attack, which allowed them to gain access to other accounts with administrative privileges that were used to exfiltrate data.
While the initial attack and data exfiltration went unnoticed, a further attempt to exfiltrate data using malware caused network performance to slow to such an extent that an alarm was generated. Medical Informatics Engineering were alerted that its systems had been compromised. An investigation was immediately launched into the malware attack. However, during the investigation, attackers were still able to exfiltrate further data through SQL queries demonstrating the company’s post-breach response was “inadequate and ineffective.” Access to the accounts should immediately have been terminated and the hackers’ access to the system should have been rapidly revoked.
A major failing on the part of Medical Informatics Engineering was their inadequate security protocols. Encryption had not been used to protect stored data and no security system had been implemented to alert Medical Informatics Engineering about possible hacking attempts. Had such a system been implemented, it would have been easy to identify unauthorized access as two of the IP addresses used by the attackers originated in Germany.
The lawsuit also alleges Medical Informatics Engineering had no evidence to confirm security awareness training had been provided to its employees prior to the data breach. HIPAA regulations require that employees undergo training to understand the risks of data breaches and are aware of best practices on how to mitigate these risks.
In addition to violations of HIPAA Rules, the lawsuit alleges Medical Informatics Engineering violated several state statutes relating to the protection of personal information, unfair and deceptive practices, and data breach notifications.
Data breaches affecting medical facilities are becoming increasingly common in recent years. The healthcare industry is a particularly lucrative target as patient information can be sold or used for nefarious purposes. This case shows the importance of implementing a robust data protection security framework and employee training schemes to ensure that, if a data breach were to occur, the organisation is fully equipped to handle it. Otherwise, not only will they suffer the financial losses and repetitional damage in the immediate aftermath of the breach, they may have to face troubling lawsuits or be liable to pay huge fines for HIPAA violations.