Medical Records Company Settles with 16 States and OCR in HIPAA Lawsuit
Medical Informatics Engineering (MIE), a medical records company, and its subsidiaries recently settled with 16 different states’ Attorney Generals (AG) after a data breach compromised electronic protected health information (ePHI) of over 3 million individuals. The AG filed a lawsuit against MIE in December 2018 in the Federal Northern District Court of Indiana. The states alleged that MIE and its subsidiaries violated state information privacy laws, the states’ deceptive trade practices statutes, and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Health Information Technology for Economic and Clinical Health (HITECH) Act provided AGs with authority to enforce HIPAA if a violation of the Act affected the state’s residents. In addition, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) also investigated MIE following its reporting to OCR of the 2015 breach. During its investigation, OCR found that, prior to the breach, MIE failed to conduct a comprehensive risk analysis. On April 23, 2019, MIE entered into a resolution agreement with OCR, agreeing to follow a two-year corrective action plan (CAP) and pay OCR $100,000. On May 28, 2019, MIE and the involved states entered into a consent judgment and order in the District Court for the Northern District of Indiana.
In their complaint, the states alleged that in May 2015, unauthorized individuals gained access to MIE’s computer system using malware and a type of cyberattack called SQL injection attack. MIE previously conducted a penetration test that identified the possibility of a SQL injection attack as a high-risk area, but the company never properly addressed the issue. The cyberattacks allowed for unauthorized access of personally identifiable information (PII) and protected health information (PHI) including names, usernames, passwords, security questions and answers, social security numbers, lab results, health insurance policy information, diagnosis, doctor names, medical conditions, children’s names and birth information. The AGs alleged that the unauthorized individuals were able to gain access because MIE had an insufficient security framework that included generic passwords, no security and monitoring alert system, and poorly documented security policies that did not include training. Additionally, the states alleged that MIE’s response to the security incident was inadequate and untimely, because MIE did not finish mailing breach notifications to affected individuals until six months after the discovery of the breach.
The AGs specifically alleged that MIE violated HIPAA because it failed to do the following:
- Implement administrative and technical safeguards as required by the HIPAA Security Rule;
- Meet HIPAA implementation requirements;
- Modify and review security measures needed to reasonably and appropriately protect ePHI;
- Successfully conduct an accurate and thorough assessment of the potential risks and vulnerabilities to confidentiality, integrity, and availability of ePHI in accordance with the HIPAA Security Rule;
- Implement security measures to reduce risk to appropriate levels;
- Regularly review the record of information system activities;
- Implement policies and procedures related to security incidents, suspected security incidents, access authorization, and established user rights;
- Assign unique IDs to track user activity;
- Implement mechanisms to encrypt and decrypt ePHI;
- Implement software, hardware, and procedural mechanisms to read ePHI system use;
- Verify entity or person seeking access; and
- Adhere to the minimum necessary standard.
The consent judgment and order require MIE to comply with the Administrative and Technical Safeguards under the HIPAA Security Rule, state deceptive trade practices statutes in connection with PHI, state breach notification laws, and state personal information protection acts. The consent judgment and order also require MIE to implement specific data security measures in response to the security problems that allegedly led to the breach, such as prohibiting the use of generic log-in account information and implementing reasonable measures to prevent SQL injection attacks. MIE will also have to hire a third-party professional to conduct a risk analysis and produce a security report that will be made available to the AGs, on an annual basis for a five-year period. MIE and its subsidiaries, that were also defendants in the action, must designate a privacy officer or other official to ensure compliance with the consent judgment and order. In addition, MIE will pay a total of $900,000 to the states.
The Consent Judgment and Order are available at:
The OCR Press Release is available at:
https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/mie/index.html