EHR Vendor Penalized Again, This Time by StatesSettlement Follows Federal HIPAA Penalty Tied to Data Breach
On the heels of a resolution agreement with federal regulators announced last week, cloud-based electronic health records vendor Medical Informatics Engineering has signed a $900,000 settlement with 16 state attorneys general in a HIPAA violations case stemming from a 2015 data breach.
In a statement, North Carolina Attorney General Josh Stein says his state and 15 others signed a settlement with Medical Informatics Engineering and its related firm, NoMoreClipboard, in the first multistate HIPAA lawsuit involving a data breach (see 12 States File Data Breach Lawsuit Against EHR Vendor).
Under the HITECH Act, states can take civil action against organizations for HIPAA violations. At the federal level the Department of Health and Human Services' Office for Civil Rights enforces HIPAA.
"MIE's data breach put people's personal information - especially sensitive details about their health - at risk," Stein said in the statement.
The other states signing the settlement include Indiana - which led the lawsuit, Arizona, Arkansas, Connecticut, Florida, Iowa, Kansas, Kentucky, Louisiana, Michigan, Minnesota, Nebraska, Tennessee, West Virginia and Wisconsin.
On May 23, HHS's OCR announced a $100,000 settlement with Fort Wayne, Indiana-based MIE tied to the 2015 data breach. Hackers used a compromised user ID and password to access the electronic protected health information of more than 3 million individuals, according to OCR (see: Cloud-Based EHR Vendor Slapped with HIPAA Fine).
The new state attorneys general settlement resolves a December 2018 lawsuit filed in an Indiana federal court alleging that MIE violated HIPAA as well as the states' unfair and deceptive practice laws, notice of data breach statutes and personal information protection laws.
The North Carolina attorney general's statement notes that between May 7 and May 26, 2015, hackers infiltrated WebChart, a web application run by MIE.
"The hackers stole the electronic protected health information of more than 3.9 million individuals. This data included individual names, telephone numbers, mailing addresses, usernames, hashed passwords, security questions and answers, spousal information, email addresses, dates of birth, Social Security numbers, lab results, health insurance policy information, diagnoses, disability codes, doctors' names, medical conditions, and children's names and birth statistics," the statement notes.
As part of its settlement with the states, MIE has agreed to:
- Comply with all administrative and technical safeguards and implementation specifications required by HIPAA;
- Comply with the states' deceptive trade practices acts in connection with their collection, maintenance, and safeguarding of consumers' personal information and PHI;
- Comply with the states' breach notification laws;
- Implement and maintain an information security program that contains administrative, technical and physical safeguards appropriate to the size and complexity of the company's operations and the nature and scope of its business;
- Refrain from employing the use of generic accounts that can be accessed via the internet and ensure that no generic accounts on its information system have administrative privileges;
- Implement multifactor authentication to access any portal the company manages in connection with its maintenance of ePHI;
- Implement and maintain a security Incident and event monitoring solution to detect and respond to malicious attacks.
MIE did not immediately respond to an Information Security Media Group request for comment on the settlement with the state attorneys general.
OCR Settlement Terms
MIE's federal settlement with OCR also included a corrective action plan. That requires the company to:
- Conduct an assessment of the potential security risks and vulnerabilities to the confidentiality, integrity and availability of the company's ePHI;
- Develop written risk management plans to address and mitigate any security risks and vulnerabilities identified in the risk analysis;
- Report to HHS failures of its workforce members to comply with the company's security policies and procedures.