12 States File Data Breach Lawsuit Against EHR VendorIn Wake of Massive Data Breach, Attorneys General Allege Violations of HIPAA, State Laws
In a groundbreaking effort, the attorneys general of a dozen states have jointly filed a federal lawsuit against a cloud-based electronic health records vendor that reported a 2015 data breach affecting 3.9 million individuals.
See Also: Securing Data Before the Cloud
Indiana Attorney General Curtis Hill, who is leading the lawsuit against Indiana-based Medical Informatics Engineering Inc., or MIE, and its subsidiary, NoMoreClipboard LLC, said the lawsuit filed Tuesday in an Indiana U.S. district court marks the first time state attorneys general have joined together to pursue a HIPAA-related data breach case in a federal court.
"We make it our standard practice to pursue all penalties and remedies available under the law on behalf of our citizens, and we hope our proactive measures serve to motivate all companies doing business in Indiana to exercise the highest ethics and utmost diligence," Hill says.
Besides Indiana, the other states also pursuing the lawsuit are Arizona, Arkansas, Florida, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina and Wisconsin.
The lawsuit is seeking an unspecified financial judgment and civil penalties as permitted by statute, and also injunctive relief, including a variety of corrective actions to comply with HIPAA and other regulations.
At the center of the lawsuit is a 2015 hacking incident that resulted in MIE reporting a breach to federal regulators in July 2015 (see: EHR Cyberattack Affected 3.9 Million).
The lawsuit contends that MIE - a business associate providing its WebChart EHR application to physicians and medical facilities nationwide - was deficient in its security practices.
"Defendants failed to implement basic industry-accepted data security measures to protect individual's health information from unauthorized access," the lawsuit alleges.
"Defendants set up a generic 'tester' account, which could be accessed by using a shared password called 'tester' and a second account called 'testing' with a shared password of 'testing.' In addition to being easily guessed, these generic accounts did not require a unique user identification and password in order to gain remote access."
In a formal penetration test conducted by Digital Defense in January 2015, these accounts were identified as high risk, the lawsuit notes. "Yet defendants continued to employ the use of these accounts and, in fact, acknowledged establishing the generic accounts at the request of one of its healthcare provider clients so that employees did not have to log in with a unique user identification and password."
MIE did not have appropriate security safeguards or controls in place to prevent exploitation of vulnerabilities within its system, the complaint contends. The "tester" account did not have privileged access, but it did allow the attacker to submit a continuous string of queries - a SQL injection attack - throughout the database as an authorized user. "The queries returned error messages that gave the intruder hints as to why the entry was incorrect, providing valuable insight into the database structure," the lawsuit alleges.
The intruder used information gained from the SQL error messages to access the "checkout" account, which had administrative privileges, the complaint says. The "checkout" account was used to access and exfiltrate more than 1.1 million patient records from databases. "The SQL error exploit was also used to obtain a second privileged account called "dcarlson," the lawsuit alleges.
The "dcarlson" account was used to access and exfiltrate more than 565,000 additional records that were stored in a database containing patient records, according to the lawsuit.
"On May 25, 2015, the attacker initiated a second method of attack by inserting malware called a "c99" cell on defendants' system. This malware caused a massive number of records to be extracted from defendants' databases. The huge document dump slowed down network performance to such an extent that it triggered a network alarm to the system administrator," the lawsuit alleges.
The system administrator investigated the event and terminated the malware and data exfiltration on May 26, 2015, according to the lawsuit. "Defendant's post-breach response was inadequate and ineffective," it charges. "While the c99 attack was being investigated, the attacker continued to extract patient records on May 26 and May 28, using the privileged 'checkout' credentials acquired through use of the SQL queries."
"There is no documentation that defendants conducted HIPAA security and awareness training for 2013, 2014, or 2015, prior to the breach."
—State AGs' Complaint Against MIE
The breach was not successfully contained until May 29, 2015, when a security contractor hired by the defendant identified suspicious IP addresses, which led the contractor to uncover the principal SQL attack method, according to the lawsuit.
The lawsuit also alleges that MIE failed to implement and maintain an active security monitoring and alert system to detect and alert on anomalous conditions, such as data exfiltration and remote system access by unfamiliar or foreign IP addresses, and also failed to encrypt sensitive personal information and electronic PHI within its systems.
"There is no documentation that defendants conducted HIPAA security and awareness training for 2013, 2014, or 2015, prior to the breach," the complaint adds.
The lawsuit alleges that those affected by the data breach "are subject to emotional distress due to their personal information and ePHI being in the hands of unknown and untrusted individuals, in addition to the increased potential for harm that could result from instances of fraud."
Privacy attorney Adam Greene of the law firm Davis Wright Tremaine notes: "This seems to be the first coordinated multistate attorney general HIPAA action. There has been an incident in which both Connecticut and, subsequently, Vermont brought actions under HIPAA. But that did not appear to be a coordinated effort like this."
Attorney David Holtzman, vice president of compliance at the security consultancy CynergisTek, says: "Health IT organizations doing business throughout the country must sit up and take notice when 12 states attorneys general have pooled their resources to prosecute an action alleging that failures to correct known defects to their information security safeguards resulted in theft of millions of records of patients and their families."
In addition to MIE allegedly violating provisions of the HIPAA rules, the lawsuit alleges the vendor violated state unfair and deceptive practice laws, notice of data breach statutes, and personal information protection acts.
"So, not only have the AGs identified potential violations under HIPAA that, interestingly, do not include an impermissible use and/or disclosure of protected health information pursuant to HIPAA, but they've also specifically included state provisions that, except for reasonable safeguards provisions, do not overlap with HIPAA requirements," says privacy attorney Iliana Peters of the law firm Polsinelli.
"In other words, the AGs do not appear to be "piling" state law provisions onto HIPAA provisions, or vice versa; they are focusing on specific, applicable HIPAA security and privacy provisions in addition to specific, applicable state law provisions."
Holtzman notes that the breadth and scope of the state law violations alleged in the complaint "is a stark reminder that healthcare organizations and health IT vendors must recognize and comply with the patchwork of data protection and breach notification requirements created by the lack of a comprehensive federal information privacy standard."
What Took So Long?
But with the cyberattack happening more than three years ago, why are the states filing a legal action now?
"The delay may be based on extensive investigations before deciding whether to pursue a case, and I imagine coordinating multiple attorneys general also takes significant time," attorney Greene notes.
MIE did not immediately respond to Information Security Media Group's request for comment on the case.