[BreachExchange] EHR Vendor Penalized Again, This Time by States

[Destry Winant]

https://www.databreachtoday.com/ehr-vendor-penalized-again-this-time-by-states-a-12532

On the heels of a resolution agreement with federal regulators
announced last week, cloud-based electronic health records vendor
Medical Informatics Engineering has signed a $900,000 settlement with
16 state attorneys general in a HIPAA violations case stemming from a
2015 data breach.

In a statement, North Carolina Attorney General Josh Stein says his
state and 15 others signed a settlement with Medical Informatics
Engineering and its related firm, NoMoreClipboard, in the first
multistate HIPAA lawsuit involving a data breach (see 12 States File
Data Breach Lawsuit Against EHR Vendor).

Under the HITECH Act, states can take civil action against
organizations for HIPAA violations. At the federal level the
Department of Health and Human Services' Office for Civil Rights
enforces HIPAA.

"MIE's data breach put people's personal information - especially
sensitive details about their health - at risk," Stein said in the
statement.

The other states signing the settlement include Indiana - which led
the lawsuit, Arizona, Arkansas, Connecticut, Florida, Iowa, Kansas,
Kentucky, Louisiana, Michigan, Minnesota, Nebraska, Tennessee, West
Virginia and Wisconsin.

On May 23, HHS's OCR announced a $100,000 settlement with Fort Wayne,
Indiana-based MIE tied to the 2015 data breach. Hackers used a
compromised user ID and password to access the electronic protected
health information of more than 3 million individuals, according to
OCR (see: Cloud-Based EHR Vendor Slapped with HIPAA Fine).

The new state attorneys general settlement resolves a December 2018
lawsuit filed in an Indiana federal court alleging that MIE violated
HIPAA as well as the states' unfair and deceptive practice laws,
notice of data breach statutes and personal information protection
laws.

The North Carolina attorney general's statement notes that between May
7 and May 26, 2015, hackers infiltrated WebChart, a web application
run by MIE.

"The hackers stole the electronic protected health information of more
than 3.9 million individuals. This data included individual names,
telephone numbers, mailing addresses, usernames, hashed passwords,
security questions and answers, spousal information, email addresses,
dates of birth, Social Security numbers, lab results, health insurance
policy information, diagnoses, disability codes, doctors' names,
medical conditions, and children's names and birth statistics," the
statement notes.

Corrective Actions

As part of its settlement with the states, MIE has agreed to:

- Comply with all administrative and technical safeguards and
implementation specifications required by HIPAA;
- Comply with the states' deceptive trade practices acts in connection
with their collection, maintenance, and safeguarding of consumers'
personal information and PHI;
- Comply with the states' breach notification laws;
- Implement and maintain an information security program that contains
administrative, technical and physical safeguards appropriate to the
size and complexity of the company's operations and the nature and
scope of its business;
- Refrain from employing the use of generic accounts that can be
accessed via the internet and ensure that no generic accounts on its
information system have administrative privileges;
- Implement multifactor authentication to access any portal the
company manages in connection with its maintenance of ePHI;
- Implement and maintain a security Incident and event monitoring
solution to detect and respond to malicious attacks.

MIE did not immediately respond to an Information Security Media Group
request for comment on the settlement with the state attorneys
general.

OCR Settlement Terms

MIE's federal settlement with OCR also included a corrective action
plan. That requires the company to:

- Conduct an assessment of the potential security risks and
vulnerabilities to the confidentiality, integrity and availability of
the company's ePHI;
- Develop written risk management plans to address and mitigate any
security risks and vulnerabilities identified in the risk analysis;
- Report to HHS failures of its workforce members to comply with the
company's security policies and procedures.