The company that created the software for electronic health records, Medical Informatics Engineering Inc., in Fort Wayne, Ind., reported a data breach to HHS in 2015, exposing the sensitive information of 3.9 million users. The legal repercussions of the breach are still making their way through the nation’s court system. Here’s what happened and how you can get involved. Read on to learn more.
Medical Informatics failed to implement adequate security measures
Last year, the Attorney Generals of sixteen states brought a lawsuit against medical software and systems vendor, Medical Informatics Engineering. The lawsuit stemmed from a data breach that affected 3.9 million individuals’ protected health information (ePHI). In this case, Medical Informatics Engineering failed to implement adequate security measures. For one thing, it did not implement encryption to secure the information it stored. Further, the company did not implement a security system to alert it of potential hacking attempts. Furthermore, Medical Informatics failed to provide any evidence that its employees had received adequate training on security. HIPAA regulations require that companies train their employees on the risks of data breaches and how to secure these systems.
The company’s employees were able to access patient data and access their records without consent. A malware attack resulted in slow network performance. However, the staff was able to detect the compromise of their systems and initiated an investigation. However, hackers were still able to access patient records by running SQL queries. The company’s response to this incident was ineffective and unimpressive, as it took so long to identify and mitigate the cause of the breach.
It failed to heed warning signs
Attorney General Josh Stein recently announced that he and other state attorneys general will settle a lawsuit against Medical Informatics Engineering, Inc., in a multistate lawsuit over a data breach. The company, also known as NoMoreClipboard, LLC, failed to provide adequate security measures for its customers and violated HIPAA and unfair and deceptive practices laws. The lawsuit claims that MIE violated several laws, including state personal information protection laws and notice of data breaches laws.
It failed to maintain a security monitoring system
The lawsuit alleges that Medical Informatics Engineering did not implement and properly document a security awareness training program, which violated HIPAA rules and state privacy laws. The suit was filed by 11 state attorneys general to secure healthcare data and adopt a corrective action plan. This lawsuit has already attracted national media attention. It is still pending, but it could result in a large fine or even criminal prosecution.
A BT datacentre firewall failure caused thousands of NHS professionals to experience lengthy delays when sending e-mails. The attackers used their administrative privileges to exfiltrate data, and there was no encryption for the data stored on the server. Furthermore, there was no security monitoring system in place to alert the company of unauthorized access. In addition, the failure of Medical Informatics to implement a security monitoring system resulted in the wrongful breach of the medical confidentiality of more than 270 patients.
It failed to encrypt and maintain a security monitoring system
A lawsuit filed in New Hampshire claims that Medical Informatics failed to protect the electronically protected health information (ePHI) of nearly four million people. The company has admitted to a breach in 2015 that exposed the personal information of 3.9 million users of its electronic health record software. A security monitoring system could have flagged suspicious activity. If it had been in place, it could have prevented this data breach.
The MIE had a security monitoring system in place that could have alerted administrators to anomalous activity and flagged data exfiltration. Moreover, the system could have flagged access by an outside party from remote systems. The hospital was only alerted of the breach on May 26 after the attacker continued to exfiltrate data. It took several months for the hospital to recover from the breach.
It failed to implement adequate security measures
In a recent court case, the HHS Office for Civil Rights announced that a large Indiana company, Medical Informatics Engineering Inc, agreed to settle a data breach lawsuit. The company allegedly failed to implement adequate security measures to protect patient health information. In a separate lawsuit, James Young alleges that MIE failed to properly protect his information and did not properly respond to the breach. He is seeking a financial judgment and civil penalties, as well as the adoption of a corrective action plan.
The hospital did not receive a direct demand for payment but was provided with an email address to contact the attackers. Hospital officials did not contact the attackers, despite the demands from the local authorities. The hospital’s backup system was up-to-date, and the breach affected a mere few hours of data. It took months for the hospital’s workflow to return to normal. While the incident is troubling, no patients’ health information was stolen in the process.