Medical Informatics Engineering and NoMoreClipboard was charged with multi-state federal lawsuit over the 2015 data breach exposing the information of 3.9 million people.
Indiana Attorney General Curtis Hill is the lead attorney general of the lawsuit with 11 other participating states – Arizona, Arkansas, Iowa, Florida, Kentucky, Kansas, Louisiana, Minnesota, North Carolina, Nebraska and Wisconsin.
The state attorneys general joined up for the first time in a federal lawsuit involving a data breach resulting from HIPAA violations. The lawsuit endeavors to get financial judgement, civil penalties, and corrective action for the following non-compliance issues of Medical Informatics Engineering.
A Failure to Employ Sufficient Security Controls
The lawsuit claims that Medical Informatics Engineering did not implement proper security to safeguard its computer systems and confidential patient information, which resulted to the occurrence of a preventable unauthorized access of PHI.
The breach under consideration happened from May 7 to May 26, 2015 allowing hackers to access its WebChart electronic health record system as well as highly sensitive patient data. The compromised data included names, addresses, birth dates, Social Security numbers, and medical data.
Identified Vulnerabilities Were Not Fixed
Medical Informatics Engineering created two ‘tester’ accounts. One is accessible using the username and password ‘tester.’ The other is accessible using the username and password ‘testing.’ The two accounts may be remotely accessed with no requirement for further identification. These were used primarily by one of its healthcare provider clients. The lawsuit claims that Medical Informatics Engineering knew about the accounts’ security issue because a third-party penetration testing company, Digital Defense, evaluated them as high risk in January 2015. Despite the fact that the accounts were counted as high risk, Medical Informatics Engineering still used the accounts.
Although those accounts didn’t include privileged access, hackers got a foothold in the network and executed an SQL injection attack. Hence, the attackers were able to access other accounts having administrative privileges and exfiltrated data.
Ineffective Post-Breach Response
Medical Informatics Engineering did not notice that attack and data exfiltration. Then, the attackers used malware to further exfiltrate data causing the network to slow down, which alerted the IT staff of its systems’ compromise. During the initial investigation of the malware attack, data exfiltration by the attackers continued through SQL queries. This demonstrates the inadequacy and ineffectiveness of the company’s post-breach response.
Lack of Encryption and Employee Security Awareness Training
Medical Informatics Engineering did not use any encryption to secure stored data or security system to alert about potential hacking incidents. Having such a system would have allowed easy identification of unauthorized access of the attackers from Germany.
The lawsuit additionally claims that Medical Informatics Engineering did not have any documentation confirming that employees underwent security awareness training before the data breach. Besides the HIPAA Rules violations, the lawsuit claims that Medical Informatics Engineering broke a number of state statutes relating to personal data protection, unfair and deceitful practices, and breach notifications.