By: Michael Jervis
A lawsuit has been filed by the attorneys general of 12 states against a company called Medical Informatics Engineering (MIE) arising out of a 2015 data breach involving stolen medical records for millions of individuals. The complaint generally alleges that MIE and its subsidiary NoMoreClipboard “failed to take adequate and reasonable measure to ensure their computer systems were protected.” The attackers compromised MIE’s WebChart application and as a result were able to obtain personal information for nearly 4 million individuals who were patients of affected providers that used the software. The information obtained included the kind of personally identifiable information typical for such breaches, including names, home addresses, birth dates, social security numbers, email addresses and passwords. Perhaps even more disturbing, the stolen information included lab results, diagnoses, medical conditions, health insurance information and other such medical data. A plurality of the patients, approximately 1.5 million, were located in Indiana. As a result of this significant breach of medical information, the attorneys general have instituted what is the first joint cross-state HIPAA breach lawsuit. The states that have joined the suit are Arizona, Arkansas, Florida, Iowa, Indiana, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina, and Wisconsin.
The complaint alleges security failings that are surprisingly simple in nature. For example, the web app allegedly contained generic accounts with the usernames “tester” and “testing.” The passwords for those were accounts were, as the hackers easily guessed, “tester” and “testing,” respectively. These accounts were in part created at the request of a health care provider who specifically did not want its individual employees to use unique usernames and passwords to log-in to the app. Additionally, those accounts could be used to issue SQL queries as an authorized database user. The complaint alleges the SQL queries contained little to no protection against injection attacks, which the attackers therefore used easily. Piling on to the problems, when SQL queries were unsuccessful the app returned detailed error messages which revealed useful information about the database structure. The attackers were able to use this information to, among other things, access and compromise other accounts, including some with root/administrator privileges.
More problematic from a legal liability standpoint, the complaint alleges MIE knew that several of these issues created security vulnerabilities, but failed to take corrective action. For example, a penetration test performed by a third-party in January 2015 identified the “tester” and “testing” accounts as high risk, but MIE apparently failed to address the issue. An even earlier penetration test, in 2014, identified the potential for SQL injection attacks and recommended that queries be sanitized or parameterized to protect against such attacks. According to the complaint, MIE did neither. Responses to discovery of the attack were also allegedly lacking. MIE identified malware which had been placed on its system in May 2015. In the ensuing days, while MIE was focused on investigating the malware, the database compromise went undetected, and the attackers continued to funnel medical records.
The complaint, 222 paragraphs long, contains numerous additional allegations. Based on those allegations the attorneys general are seeking injunctive relief as well as civil penalties and restitution.