Twelve US states are suing an electronic healthcare record provider who lost 3.9 million personal records in 2015.
The Attorneys general of Arizona, Arkansas, Florida, Indiana, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina, and Wisconsin clubbed together to file suit against Indiana-based Medical Informatics Engineering (MIE) and its subsidiary NoMoreClipboard (NMC) this week. The states, who each have residents affected by the breach, are negotiating a payout with the company.
MIE and NMC violated the federal HIPAA legislation protecting the privacy of health information, claim the 12 states. They’re also accusing MIE of breaking 27 state-level laws concerning data breach notification, abusive and deceptive practices, and personal information protection. The complaint accuses MIE of failing to properly secure its computer
systems, not telling people about its system weaknesses, and then
failing to provide timely notifications of the incident.
MIE sells web-based electronic health record services to healthcare providers via NMC’s Webchart web-based portal. IE failed to encrypt sensitive information, even though it said it did,
the lawsuit says. It also used test accounts sharing the passwords
“tester” and “testing”, established so that a client’s employees didn’t
have to log in with a unique user ID.
One of these test accounts allowed the thieves to explore the health
record database with SQL injection attacks, gaining further access to
privileged accounts called ‘checkout’ and ‘dcarlson’.
The leak continued, from 7 May 2015, hackers pilfered 3.9 million people’s personal information from MIE’s back-end systems, stealing not only names, addresses and social security numbers but also health data. This included lab results, health insurance policy information, diagnoses, disability codes, doctors’ names, medical conditions and the names and birth statistics of children.
Sophos
No comments:
Post a Comment