Cloud-Based EHR Vendor Slapped With HIPAA FineInvestigation Came in Wake of Cyberattack That Affected Millions
Federal regulators have smacked a cloud-based electronics health records vendor with a $100,000 HIPAA settlement in the wake of a 2015 cyberattack that affected millions of individuals.
The Department of Health and Human Services says the settlement with Fort Wayne, Indiana-based Medical Informatics Engineering comes after an investigation of a breach discovered in July 2015. Hackers used a compromised user ID and password to access the electronic protected health information of approximately 3.5 million individuals, according to the HHS Office for Civil Rights, which enforces HIPAA.
"OCR's investigation revealed that MIE did not conduct a comprehensive risk analysis prior to the breach," HHS notes in a statement.
HIPAA requires entities to perform an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of an entity's ePHI. The lack of such as risk analysis has been a common finding in OCR's breach investigations that have resulted in enforcement actions, such as settlements.
"Entities entrusted with medical records must be on guard against hackers," says OCR Director Roger Severino. "The failure to identify potential risks and vulnerabilities to ePHI opens the door to breaches and violates HIPAA."
In addition to the $100,000 settlement, MIE is required to undertake a corrective action plan to comply with HIPAA, including conducting an enterprisewide risk analysis.
The settlement with MIE, which apparently is OCR's first enforcement action against an EHR vendor in the wake of a breach, is the second HIPAA settlement OCR has signed this year.
Earlier this month, OCR announced a $3 million HIPAA settlement with Franklin, Tennessee-based Touchstone Medical Imaging stemming from a 2014 breach that affected 307,000 individuals. In that case, OCR alleged that the medical imaging services provider delayed investigating and mitigating the breach involving patient information leaking onto the internet via a web server - and delayed notification of victims as well.
OCR announced April 26 that it was lowering the maximum annual caps on civil monetary penalties for less egregious HIPAA violations (see: HHS Lowers Some HIPAA Fines). OCR will keep its revised interpretation of the HITECH Act penalty caps in mind "for all enforcement operations," Severino told members of the news media on April 26. That includes cases involving civil monetary penalties as well as when OCR negotiates HIPAA settlements that include corrective actions "and monies in lieu of civil monetary penalties," he said.
The MIE data breach is also the subject of a lawsuit filed against the company last December by 12 states (see: 12 States File Data Breach Lawsuit Against EHR Vendor).
Indiana Attorney General Curtis Hill, who is leading the lawsuit against MIE and its subsidiary, NoMoreClipboard LLC, said the lawsuit marked the first time state attorneys general have joined together to pursue a HIPAA-related data breach case in a federal court.
The other states also pursuing the lawsuit are Arizona, Arkansas, Florida, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina and Wisconsin.
"How can you have a security program if you haven't even conducted a risk assessment? That's a big red flag."
—Stephen Wu, Silicon Valley Law Group
The lawsuit is seeking an unspecified financial judgment and civil penalties, and also injunctive relief, including a variety of corrective actions to comply with HIPAA and other regulations.
MIE CEO Doug Horner, in a statement provided to Information Security Media Group, says the company has cooperated with OCR since it discovered the cyberattack in May of 2015 and has been working toward a resolution since the investigation began. "We are pleased that we have settled the matter, and we will collaborate with OCR to maintain a vigilant security posture," he says.
Initially after the attack, MIE partnered with a team of third-party experts and the FBI to remediate attack vectors used by the intruders, he says.
"We have since made significant investments in additional safeguards and security measures to enhance our security posture including security personnel, policies, procedures, controls and monitoring/prevention tools. We retained additional third party vendors and applications to assist us with both the protection of health information and auditing/certification of our information security program," he says.
Additionally, Horner says that OCR noted that MIE did not conduct a "comprehensive" risk assessment. "While MIE routinely assesses risks, the 2015 incident demonstrates that prior risk assessments did not detect the vulnerability used by the intruder. We are pleased to work with OCR to ensure that subsequent risk assessments are more comprehensive in nature to help safeguard the protection of client and patient data from sophisticated attackers," he says.
As for the lawsuit by the 12 states against MIE, Horner says the company has been cooperating with the group of attorneys general as they have investigated the attack. "We are actively engaged with the multistate AG group to settle the matter, and we expect to announce a resolution very soon," he says.
Holding Vendors Accountable
Technology attorney Stephen Wu of the law firm Silicon Valley Law Group, who is not involved in the case, says he's pleased to see OCR is paying attention to HIPAA compliance by vendors as well as hospitals and clinics.
MIE's lack of a comprehensive security risk analysis is disturbing, he adds. "Companies are not taking care of the basics still," he says. "How can you have a security program if you haven't even conducted a risk assessment? That's a big red flag."
Under the corrective action plan included in the resolution agreement with OCR, MIE must:
- Conduct an accurate and thorough assessment of the potential security risks and vulnerabilities to the confidentiality, integrity and availability of the company's ePHI;
- Develop written risk management plans to address and mitigate any security risks and vulnerabilities identified in the risk analysis;
- Report to HHS failures of its workforce members to comply with the company's security policies and procedures as "reportable events."