Medical Informatics Engineering (MIE) needs to pay a $900,000 financial penalty to settle a multi-state suit about HIPAA violations associated with a 3.9-million records breach in 2015. The statement was given just a couple of days after MIE paid the HHS’ Office for Civil Rights $100,000 to settle its HIPAA violation case.
MIE licenses WebChart, a web-based digital health record software program. NoMoreClipboard (NMC) is its subsidiary providing healthcare providers with patient web portal and personal health record services, so their patients could access and manage their health data. Providing those services makes MIE and NMC business associates, which means compliance with HIPAA Rules is necessary.
From May 7 to May 26 2015, hackers accessed a server that contains information associated to NMC’s service. They potentially accessed and stole information including names, addresses, sensitive health data, usernames and passwords.
In December 2018, a lawsuit filed against MIE and NMC alleged that they violated state laws including a number of HIPAA provisions. The plaintiffs in the lawsuit were the attorneys general of 16 states (Arizona, Arkansas, Florida, Connecticut, Iowa, Indiana, Kansas, Kentucky, Louisiana, Minnesota, Michigan, Nebraska, North Carolina, Tennessee, Wisconsin and West Virginia).
The investigation conducted by the plaintiffs revealed that hackers exploited a couple of vulnerabilities, including MIE’s poor password policies, and non-implementation of security management protocols.
Under the terms of the consent judgement, besides the financial penalty, MIE needs to carry out and sustain an information security plan and set up a security incident and event monitoring (SIEM) program to allow detection and quick response to cyberattacks.
Data loss prevention technology should be used to avoid unauthorized data exfiltration. There must be controls to avoid SQL injection attacks. Activity logs should be maintained and evaluated on a regular basis.
Password policies must require using strong, complex passwords and all systems associated with ePHI must use multi-factor authentication and single sign-on.
More controls must be used on creating accounts that have ePHI access. MIE should keep from using generic accounts accessible online and generic accounts should not have administrative privileges.
MIE additionally needs to adhere to all the HIPAA Security Rule’s administrative and technical safety procedures and states’ deceptive trade practices acts regarding consumers’ protected health information (PHI) collection, maintenance, and security. Sensible security policies and procedures should be enforced and maintained to secure that data. MIE employees must also have appropriate training on data security policies and procedures every year.
Furthermore, MIE must engage a third-party expert to perform a yearly risk analysis to distinguish threats and vulnerabilities to ePHI for the subsequent five years. The findings of that risk analysis and relevant recommendations should be given to the Indiana Attorney General within 180 days and yearly after that.
All parties agreed to the consent judgement, which resolves the supposed HIPAA and state laws violations. The consent judgement is now awaiting court approval.