Arizona v. Medical Informatics Engineering, Inc., 2019 WL 2354317 (N.D. Ind. 2019)
A federal trial court has entered a consent judgment in a case brought by a group of state attorneys general against two related companies that provide software and medical record services to health care providers. The complaint alleged that the companies, as HIPAA business associates, violated HIPAA’s security standards and various state consumer-protection and data-security laws by establishing generic accounts that could be accessed with easily guessed user name and password combinations. Use of the generic accounts, which allowed customers to avoid setting up unique user IDs and passwords, continued even after a formal penetration test identified them as high risk. Hackers allegedly exploited the generic accounts to access other accounts with administrator privileges, resulting in the theft of protected health information (PHI) of 3.9 million individuals. According to the complaint, unauthorized access to the companies’ network started on May 7, 2015, but was not discovered until May 26. Moreover, the complaint asserts that, while the incident was being investigated, the attacker extracted records of 326,000 individuals on two separate days, using privileged checkout credentials. The complaint contended that the companies did not begin providing breach notifications until 50 days after the breach discovery date and took six months to complete the notifications.
The complaint alleged numerous HIPAA violations, including failures to (1) conduct an accurate and thorough risk analysis; (2) regularly review information system activity; (3) implement policies and procedures to establish, review, and modify workstation access; (4) address security incidents; (5) assign unique user IDs; (6) verify the identity of those accessing PHI; and (7) adhere to the minimum necessary standard; and (8) encrypt PHI.
The companies did not admit liability in the consent judgment, but they agreed to pay the states a total of $900,000 in three annual installments and to comply with HIPAA and the applicable state laws. The judgment sets out detailed compliance mandates, such as using multifactor authentication; adopting strong, complex passwords; implementing technology to detect and prevent unauthorized data exfiltration; security training for workforce members; educating clients on strong password policies; and promoting clients’ use of multifactor authentication. The companies are also required, within 90 days after entry of judgment, to engage an independent third party to conduct a current and comprehensive risk analysis and to revise their security policies and procedures in response to the analysis, submitting a description of their actions to the Indiana Attorney General. This analysis must be repeated annually for five additional years.
EBIA Comment: Other state attorneys general have used their authority under the HITECH Act to enforce HIPAA privacy and security rules, but this case appears to be the first time that several states have banded together to enforce HIPAA. The detailed and ongoing compliance mandates may be more noteworthy than the relatively modest settlement amount—which, even after taking into account OCR’s separate $100,000 resolution agreement (see our Checkpoint article), is less than payments for other incidents of comparable magnitude. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XX.G (“Cause of Action for State Attorneys General Under the HITECH Act”), XXVI.H (“‘Minimum-Necessary’ Standard”), XXX.B (“Administrative Safeguards”), and XXX.D (“Technical Safeguards”). You may also be interested in our webinar “Learning the Ropes: An Introduction to HIPAA Privacy & Security” (recorded on 2/20/19).
Contributing Editors: EBIA Staff.