A recent announcement requires Medical Informatics Engineering (MIE) to pay a financial penalty amounting to $900,000 to resolve a multi-state lawsuit over the HIPAA violations linked to a breach of 3.9 million records in 2015. This finacial penalty is apart from the $100,000 financial penalty MIE paid to HHS’ Office for Civil Rights over its HIPAA violation case.
MIE’s product called WebChart is a web-based digital health record application. NoMoreClipboard (NMC) is MIE’s subsidiary giving patient website and personal health record services to healthcare companies, so that health data becomes accessible to patients. Because of those services, MIE and NMC work as business associates and should comply with HIPAA Rules.
On May 7 to May 26 2015, attackers accessed a server connected to NMC’s service. The server contained data including names, usernames and passwords, addresses and sensitive health information, which the attackers possibly accessed and stole.
In December 2018, MIE and NMC faced a lawsuit alleging that they broke state laws and some HIPAA provisions. The lawsuit plaintiffs were 16 states’ attorneys general. The states involved were Arkansas, Arizona, Florida, Connecticut, Kansas, Kentucky, Iowa, Indiana, Louisiana, Nebraska, North Carolina, Minnesota, Michigan, Tennessee, Wisconsin and West Virginia.
The investigation carried out by the plaintiffs showed that hackers took advantage of some vulnerabilities, which include MIE’s weak password policies, and non-execution of security management practices.
The terms of the consent judgement requires MIE to
- undertake and maintain an information security strategy
- create a security incident and event monitoring (SIEM) program to permit identification and speedy response to cyberattacks
- use data loss prevention technology to avert unauthorized data exfiltration
- maintain activity logs with regular monitoring
- implement controls to prevent SQL injection attacks
- use strong, complex passwords
- implement single sign-on and multi-factor authentication on all systems involving ePHI
- not use generic accounts with online access; if using generic accounts, there should be no administrative privileges
- stick to all the HIPAA Security Rule’s administrative and technical safety methods
- follow the states’ deceptive trade practices acts relating to consumers’ protected health information (PHI) collection, maintenance, and protection
- follow sensible security policies and procedures
- train employees about data security policies and procedures every year
- retain a third-party expert to do a yearly risk analysis and identify threats and vulnerabilities to ePHI for five years
- report the findings of the analysis and recommendations to the Indiana Attorney General within 180 days and annually after that.
All parties agreed to the consent judgement, which settles the violations of HIPAA and state laws, though court apporval is still pending.