Medical Informatics Engineering Inc (MIE) has agreed to a $100,000 settlement with HHS’s Office for Civil Rights for a 2015 data breach affecting 3.5 million individuals.
MIE, an Indiana-based provider of electronic medical record software and services, experienced the data breach when hackers compromised the server of its NoMoreClipboard subsidiary.
The hackers had access to the server for 19 days between May 7 and May 26, 2015. The breach affected 239 of MIE’s healthcare clients, compromising the protected health information (PHI) of 3.5 million individuals.
The hackers first gained access through compromised employee email accounts. According to some news reports, the hackers accessed the account by guessing the credentials; in both cases, the usernames and passwords were identical. One account’s credentials were ‘tester’, and the second used ‘testing’.
MIE first posted an interim breach notification on their website two weeks after the incident occurred. MIE then notified OCR of the incident on July 23, 2015. An investigation was launched to determine the cause of the breach and whether HIPAA had been violated during the incident.
OCR discovered MIE had failed to conduct an accurate and thorough risk analysis to identify all potential risks to the confidentiality, integrity, and availability of PHI before the breach. This oversight is a violation of the HIPAA Security Rule 45 CFR § 164.308(a)(l)(ii)(A).
OCR stated that the PHI of 3.5 million individuals was impermissibly disclosed as a direct result of that failure, in violation of 45 CFR § 164.502(a).
The records that could be accessed by the hacker included names, phone numbers, addresses, usernames, passwords, security questions and answers, spouse details, birth dates, Social Security numbers, health insurance policies, diagnoses, disability codes, doctor information, and other medical information. Due to the sensitive nature of some of these data, the affected individuals were at heightened risk of identity theft and other types of fraud.
MIE chose to settle the case with OCR with no admission of liability.
In addition to the fine, MIE has agreed to adopt a corrective action plan that requires a comprehensive, organization-wide risk analysis to be conducted and a risk management plan to be developed to address all identified risks and reduce them to a reasonable and acceptable level.
“Entities entrusted with medical records must be on guard against hackers,” said OCR Director Roger Severino. “The failure to identify potential risks and vulnerabilities to ePHI opens the door to breaches and violates HIPAA.”
Although MIE has settled with OCR, they are not finished dealing with the consequences of the breach. In December 2018, a multi-state lawsuit was filed against MIE by 12 state attorneys general over the breach.
The lawsuit alleged there was a failure to implement adequate security controls, that known vulnerabilities had not been corrected, encryption had not been used, security awareness training had not been provided to staff, and there were post-breach failures at MIE.
That lawsuit has yet to be resolved. MIE may have to pay another financial penalty to settle this lawsuit.
The 2015 data breach highlights how necessary even basic security measures sure as using strong passwords or implementing multi-factor authentication can be for organizations wishing to avoid HIPAA penalties.