12-State Lawsuit Alleges Medical Firm Violated HIPAA
The company not only failed to encrypt electronic protected health information but failed to maintain a security monitoring system that could have flagged supicious and anomalous activity.
Not one, not two, not even three—but 12 states—are suing a medical software company after attackers made off with the sensitive electronic protection health information (ePHI) of nearly four million patients.
It's the first joint cross-state HIPAA lawsuit against a healthcare provider.
Medical Informatics Engineering Inc., a company based in Fort Wayne, Ind. Is the subject of the civil action. The company told the U.S. Department of Health and Human Services in 2015 that it exposed sensitive information belonging to 3.9 million users of the company’s electronic health record software. Four years later, repercussions of the incident are still making their way through the nation’s court system.
Attorneys in Medical Informatics Engineering’s (MIE) homestate of Indiana filed their suit against the company on Monday; attorneys from Arizona, Arkansas, Florida, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina and Wisconsin joined them. It wouldn't be a surprise to see other states pile on as well. New Hampshire's Attorney General hasn't filed a lawsuit against the company yet but the breach did impact individuals in that state.
The problem began in June 2015, when the company announced that an attack on its network and another network belonging to NoMoreClipboard, a cloud-based service by MIE that allows doctors to access and maintain health data, had been hacked. As a result, data belonging to medical centers across the U.S., including names, addresses, birthdates, Social Security numbers and health records were compromised. At the time, affected facilities included 11 healthcare providers and 44 radiology clinics - mostly in Indiana, Ohio, and Michigan. The suit alleges the firm "failed to implement basic industry-accepted data security measures to protect individuals' health information from unauthorized access."
MIE's undoing in part was due to the fact it used generic accounts to access data.
According to the lawsuit, the firm set up a generic “tester” account that could be accessed by using a shared password, “tester” and a second account called “testing” with a shared password of “testing.”
While the accounts could be guessed they also didn't require a unique user identification or password in order to gain remote access. The company was warned this activity was "high risk" in January 2015 but continued to employ the setup. As if this wasn't bad enough, in 2014 a penetration testing firm uncovered a SQL injection in its system which the company never fixed. Hackers got into the system by obtaining access to WebChart, an application run by MIE. According to the lawsuit, an attacker ultimately used information from SQL error messages to access an account that had admin privileges and subsequently exfiltrate millions of patient records.
MIE not only failed to encrypt the sensitive data and electronic protected health information, it failed to maintain a security monitoring and alert system that could have flagged suspicious and anomalous activity including data exfiltration, abnormal administrator activities, and remote system access.
Hackers got into the system on May 7 but it wasn't until weeks later, on May 26 - as the attacker was extracting data from its database - that the company realized. Despite this, the attacker continued to exfiltrate data while the attack was being investigated, on May 26 and May 28. It wasn't until the next day that it was able to successfully contain the breach.
“The significance of the absence of these security tools cannot be overstated, as two of the IP addresses used to access Defendants’ databases originated from Germany. An active security operations system should have identified remote system access by an unfamiliar IP address and alerted a system administrator to investigate,” the suit reads.
The lawsuit compels the company to discontinue the use of generic accounts, require multi-factor authentication, and implement and maintain data loss prevention technology that can detect and prevent unauthorized data exfiltration, among other provisions.
Having a healthy data protection strategy in place, one that one that can detect suspicious activity while protecting sensitive information, like ePHI, can help prevent data exfiltration and satisfy the HIPAA Privacy Rule.