by Danny Bradbury for Sophos
Twelve US states are suing an electronic healthcare record provider who lost 3.9 million personal records in 2015.
The Attorneys general of Arizona, Arkansas, Florida, Indiana, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina, and Wisconsin clubbed together to file suit against Indiana-based Medical Informatics Engineering (MIE) and its subsidiary NoMoreClipboard (NMC) this week. The states, who each have residents affected by the breach, are negotiating a payout with the company.
MIE sells web-based electronic health record services to healthcare providers via NMC’s Webchart web-based portal.
Starting on 7 May 2015, hackers pilfered 3.9 million people’s personal information from MIE’s back-end systems, stealing not only names, addresses and social security numbers but also health data. This included lab results, health insurance policy information, diagnoses, disability codes, doctors’ names, medical conditions and the names and birth statistics of children.
The complaint accuses MIE of failing to properly secure its computer systems, not telling people about its system weaknesses, and then failing to provide timely notifications of the incident.
MIE failed to encrypt sensitive information, even though it said it did, the lawsuit says. It also used test accounts sharing the passwords “tester” and “testing”, established so that a client’s employees didn’t have to log in with a unique user ID.
Pen testers uncovered the issue and highlighted the risk but the lawsuit says that MIE took no action.
One of these test accounts allowed the thieves to explore the health record database with SQL injection attacks, gaining further access to privileged accounts called ‘checkout’ and ‘dcarlson’.
MIE allegedly didn’t have any data exfiltration alarms in place. It was a network performance monitoring alarm that raised the red flag because the attackers dumped records from the database at such volume that it choked off network bandwidth. The attacks continued even while administrators investigated the incident.
When the breach was discovered, MIE only had a draft incident response plan, and there was no evidence that it followed that in any case, the states say.
They add that notifications were inadequate. MIE discovered the breach on 26 May 2015, and informed the public of the breach via a notice on its website on 10 June. The company then began email notifications on 17 July, and finally sent letters in December.
MIE and NMC violated the federal HIPAA legislation protecting the privacy of health information, claim the 12 states. They’re also accusing MIE of breaking 27 state-level laws concerning data breach notification, abusive and deceptive practices, and personal information protection.
The states are proposing a consent decree to clear up the matter before getting into litigation. This calls for an as-yet undefined payout from MIE, along with its commitment to follow several security measures.
These include using multi-factor authentication, not making generic accounts accessible via the internet, using strong passwords, training staff properly in cybersecurity, using a security incident and event monitoring (SIEM) solution, and putting SQL injection attack detection measures in place.
The company will also have to conduct regular security audits with help from a qualified professional, file reports, and take action on them. In short, the settlement asks the company to do what any competent cybersecurity team charged with protecting sensitive data should be doing.
What’s interesting here is the collaborative nature of the settlement. As voices call for stricter federal privacy protection laws, this could be a sign that states are getting fed up with these mega-breaches and are taking things into their own hands.
In October, Uber settled with all 50 states over the handling of its 2016 data breach, paying $148m. Does this latest suit herald more coordination between attorneys general to hold companies accountable?