Dec 7, 2018
A multi-state federal litigation has been filed versus Medical Informatics Engineering and NoMoreClipboard over the 2015 data breach that displayed the data of 3.9 million people.
Indiana Attorney General Curtis Hill is heading the litigation and 11 other states are partaking – Arizona, Nebraska, Minnesota, Louisiana, Kentucky, Kansas, Iowa, Florida, Arkansas, North Carolina, and Wisconsin.
This is the first time that state attorneys general have combined forces in a central litigation over a data breach caused by violations of the Health Insurance Portability and Accountability Act. The litigation seeks a financial verdict, civil fines, and the adoption of a remedial action plan to tackle all compliance failures.
A Failure to Implement Sufficient Security Controls
The complaint asserts Medical Informatics Engineering failed to implement proper safety to safeguard its computer systems and confidential patient data and, as a consequence of those failures, an avoidable data breach happened. As per the claim, “Defendants failed to implement basic industry-accepted data safety measures to safeguard a person’s health information from illegal access.”
The breach in question happened between May 7 and May 26, 2015. Hackers were able to gain access to its WebChart electronic health record system and extremely confidential patient information – The precise kinds of data sought by identity thieves – Names, Social Security numbers, dates of birth, addresses, and health information.
Known Weaknesses Were Not Rectified
Medical Informatics Engineering had set two ‘tester’ accounts, one of which might be retrieved with the username and password ‘tester’ and the other with the username and password ‘testing.’ Both accounts might be retrieved distantly without the need for any additional identification. The claim charges Medical Informatics Engineering was aware of the safety problem as the accounts were identified as high risk by a third-party penetration testing company, Digital Defense, in January 2015. Although the accounts were high risk, Medical Informatics Engineering carried on to use the accounts. The accounts were set up to enable one of its healthcare supplier clients to login without having to use exclusive usernames and passwords.
Although those accounts didn’t have privileged access, they did allow the hackers to gain a footing in the network. Through those accounts, the attackers carried out an SQL injection attack, which permitted them to gain access to other accounts with administrative rights that were used to exfiltrate data.
Post-Breach Reaction Failures
Although the initial attack and data exfiltration went undetected, an additional attempt to exfiltrate data using malware caused network performance to slow to such a level that an alarm was generated, warning Medical Informatics Engineering that its systems had been compromised. While probing the malware attack the attackers were still able to exfiltrate more data through SQL queries showing the company’s post-breach reaction was “insufficient and ineffectual.”
No Encryption or Worker Safety Awareness Training
No encryption had been used to safeguard saved data and no safety system had been applied to warn Medical Informatics Engineering regarding possible hacking attempts. Had such a system been applied, it would have been easy to identify illegal access as two of the IP addresses used by the attackers created in Germany.
The claim also asserts Medical Informatics Engineering had no certification to verify safety consciousness training had been provided to its workers before the data breach.
In addition to violations of HIPAA Laws, the claim asserts Medical Informatics Engineering violated numerous state statutes relating to the security of personal information, unjust and misleading practices, and data breach notices.