Medical Informatics Engineering Fined $900,000 for 2015 Data Breach Following Multi-State Lawsuit

Only a few days after it agreed to a settlement with OCR, Medical Informatics Engineering (MIE) has been instructed to pay a $900,000 financial penalty to resolve a multi-state lawsuit over a 2015 data breach that saw 3.9 million patient records compromised.

MIE, an Indiana-based provider of electronic medical record software and services, experienced the data breach when hackers compromised the server of its NoMoreClipboard (NMC) subsidiary. Through providing these services, MIE acts as a business associate (BA) to several healthcare organizations covered by HIPAA’s rules, and are therefore themselves required to be compliant with the legislation.

The hackers had access to the server for 19 days between May 7 and May 26, 2015. The breach affected 239 of MIE’s healthcare clients, compromising the protected health information (PHI) of 3.9 million individuals.

The records that could be accessed by the hacker included names, phone numbers, addresses, usernames, passwords, security questions and answers, spouse details, birth dates, Social Security numbers, health insurance policies, diagnoses, disability codes, doctor information, and other medical information.

A multi-state lawsuit was brought against MIE in December 2018 alleging MIE and NMC had violated state laws and HIPAA legislation and therefore had not adequately protected PHI from being access by unauthorized individuals. A total of 16 state attorneys general were named as plaintiffs in the lawsuit: Arizona, Arkansas, Connecticut, Florida, Indiana, Iowa, Kansas, Kentucky, Louisiana, Michigan, Minnesota, Nebraska, North Carolina, Tennessee, West Virginia, and Wisconsin.

The plaintiffs’ investigation into the breach revealed that hackers had exploited several vulnerabilities in MIE’s security systems to access PHI. Furthermore, MIE had poor password policies in place, and security management protocols had not been followed.

According to reports, the hackers first gained access through compromised employee email accounts. Allegedly, the hackers accessed the account by guessing the credentials; in both cases, the usernames and passwords were identical. One account’s credentials were ‘tester’, and the second used ‘testing’.

In addition to paying the financial penalty, MIE agreed to implement and maintain an information security program and deploy a security incident and event monitoring (SIEM) solution to allow it to detect and respond quickly to cyber attacks.

MIE must use data loss prevention technology to prevent the unauthorized exfiltration of data, and controls must be implemented to prevent SQL injection attacks. MIE management must maintain and review activity logs to monitor who is accessing PHI and whether they have the correct authorization to do so.

The security program also requires MIE to update their password policies, requiring the use of strong, complex passwords and multi-factor authentication and single sign-on must be used on all systems that store or are used to access ePHI.

MIE must implement additional controls to limit the creation of accounts that have access to ePHI. MIE must refrain from using generic accounts that can be accessed via the Internet, and no generic accounts are allowed to have administrative privileges.

MIE is also required to comply with all the administrative and technical safeguards of the HIPAA Security Rule and states’ deceptive trade practices acts concerning the collection, maintenance, and safeguarding of consumers’ protected health information.

MIE has also agreed to provide appropriate training to all employees regarding its information security policies. Employee training must be provided at least annually.

Also, MIE is required to engage a third-party professional to conduct an annual risk analysis to identify threats and vulnerabilities to ePHI each year for the next five years. A report of the findings of that risk analysis and the recommendations must be sent to the Indiana Attorney General within 180 days and annually after that.

All parties named on the lawsuit have agreed to the consent judgement, resolving the alleged HIPAA violations and violations of state laws. The consent judgement now awaits court approval. The consent judgement can be found on the website of the Florida Office of the Attorney General.