Medical Informatics Engineering, Inc. (Medical Informatics) and its wholly-owned subsidiary, NoMoreClipboard, LLC, an electronic medical record and software services provider is now liable for a combined total of $1 million to both the federal and state governments after hackers accessed approximately 3.5 million patients’ health records in 2015. The breach, reported to OCR on July 23, 2015, occurred through a compromised user ID and password. Compromised patient information included social security numbers, names, email addresses, health insurance policy information, addresses, dates of birth, and clinical information. An investigation later revealed that Medical Informatics disregarded basic industry security standards. The breach led to an investigation by OCR and also to a lawsuit brought by the attorneys general of sixteen states against Medical Informatics for its failure to comply with HIPAA and for engaging in deceptive trade practices in advertising compliance with privacy and security measures of its PHI.
Specifically, Medical Informatics installed two generic accounts, one having a shared password of “tester” and the other having a shared password of “testing”. Neither included a unique user identification name. Though these accounts were flagged as “high risk” by a formal penetration test conducted in January 2015, Medical Informatics did not change their decision to have these accounts. The accounts were to appease a client request to be able to login without using unique usernames and passwords. Through these accounts, the hackers eventually launched an SQL injection attack as well as inserting malware on Medical Informatics’ system.
Because of this grave mishap, Medical Informatics is on the hook to the federal government for $100,000 and will enter into a two-year commitment to a corrective action plan (CAP). The CAP requires Medical Information to do the following: (i) conduct a risk analysis; (ii) develop and implement a risk management plan; and (iii) comply with requirements designated as reportable events. In addition to the penalties from the federal government, sixteen states also collectively sued Medical Informatics in Indiana federal district court in December 2018. Judge Robert L. Miller, Jr. signed a Consent Order and Judgment on May 28, 2019. That Judgment and Order requires Medical Informatics to pay a combined sum of $900,000 to the state defendants over the next three years. Providers should be cognizant of the fact that the success and monetary gain this lawsuit brought to many states may stir up greater HIPAA enforcement by attorneys general alike.
It is imperative for business associates, particularly EMR companies directly responsible for maintaining sensitive information, to ensure strict compliance with HIPAA and appropriate security protections for PHI. Conducting risk assessments is a clear requirement under HIPAA. Risk assessments must be completed in an appropriate manner and the corresponding results should be reviewed and deficiencies remedied. The risk assessment should hone in on the confidentiality, availability, and integrity of such PHI and should survey the entire organization. Additionally, since the hackers here were able to access the PHI through generic tester accounts, companies must also ensure that they have implemented appropriate policies and procedures regarding prohibitions on generic accounts and certain passwords. Password policies should address the strength of passwords, the frequency for changing passwords, and not sharing or disclosing passwords. Such policies and procedures should be coupled with regular workforce trainings.