Multi-State Action Results in $900,000 Financial Penalty for Medical Informatics Engineering

Share this article on:

Medical Informatics Engineering (MIE) is required to pay a financial penalty of $900,000 to resolve a multi-state action over HIPAA violations related to a breach of 3.9 million records in 2015. The announcement comes just a few days after the HHS’ Office for Civil Rights settled its HIPAA violation case with MIE for $100,000.

MIE licenses a web-based electronic health record application called WebChart and its subsidiary, NoMoreClipboard (NMC), provides patient portal and personal health record services to healthcare providers that allow patients to access and manage their health information. By providing those services, MIE and NMC are business associates and are required to comply with HIPAA Rules.

Between May 7 and May 26 2015, hackers gained access to a server containing data related to its NMC service.  Names, addresses, usernames, passwords, and sensitive health information were potentially accessed and stolen.

A lawsuit was filed in December 2018 alleging MIE and NMC had violated state laws and several HIPAA provisions. 16 state attorneys general were named as plaintiffs in the lawsuit: Arizona, Arkansas, Connecticut, Florida, Indiana, Iowa, Kansas, Kentucky, Louisiana, Michigan, Minnesota, Nebraska, North Carolina, Tennessee, West Virginia, and Wisconsin.

The plaintiffs’ investigation into the breach revealed hackers had exploited several vulnerabilities, MIE had poor password policies in place, and security management protocols had not been followed.

Under the terms of the consent judgement, in addition to the financial penalty, MIE must implement and maintain an information security program and deploy a security incident and event monitoring (SIEM) solution to allow it to detect and respond quickly to cyberattacks.

Data loss prevention technology must be deployed to prevent the unauthorized exfiltration of data, controls must be implemented to prevent SQL injection attacks, and activity logs must be maintained and regularly reviewed.

Password policies must be implemented that require the use of strong, complex passwords and multi-factor authentication and single sign-on must be used on all systems that store or are used to access ePHI.

Additional controls need to be implemented covering the creation of accounts that have access to ePHI. MIE must refrain from using generic accounts that can be accessed via the Internet and no generic accounts are allowed to have administrative privileges.

MIE is also required to comply with all the administrative and technical safeguards of the HIPAA Security Rule and states’ deceptive trade practices acts with respect to the collection, maintenance, and safeguarding of consumers’ protected health information. Reasonable security policies and procedures must be implemented and maintained to protect that information. MIE must also provide appropriate training to all employees regarding its information security policies and procedures at least annually.

In addition, MIE is required to engage a third-party professional to conduct an annual risk analysis to identify threats and vulnerabilities to ePHI each year for the next five years. A report of the findings of that risk analysis and the recommendations must be sent to the Indiana Attorney General within 180 days and annually thereafter.

The consent judgement has been agreed by all parties and resolves the alleged HIPAA violations and violations of state laws. The consent judgement now awaits court approval. The consent judgement can be found on the website of the Florida Office of the Attorney General – PDF.

Author: HIPAA Journal

Share This Post On