Focus On: State AGs Break New Ground by Teaming Up to Enforce HIPAA

Lab managers and compliance officers take note: For the first time ever, state attorneys general (AGs) have banded together to go after a health care provider for HIPAA violations. Although the defendant was a medical software firm, the same enforcement strategy could very easily apply to labs as well. Here’s a look at a groundbreaking new case and what it may portend. (Click here for a related story on new state HIPAA laws.)

The MIE Data Breach

The focal point of the case is a medical software provider named Medical Informatics Engineering (MIE) which licenses a web-based electronic health record application called WebChart and its subsidiary, NoMoreClipboard (NMC), which provides patient portal and personal health record services to healthcare providers allowing patients to access and manage their health information. MIE installed two generic accounts, one having a shared password of “tester” and the other having a shared password of “testing.” Neither included a unique user identification name. These accounts were flagged as “high risk” by a formal penetration test conducted in January 2015. But MIE decided not to eliminate them because it didn’t want to deny a client request for the capacity to login without using unique usernames and passwords.

Later that year, hackers used the generic accounts to launch an SQL injection attack and insert malware on MIE’s system, compromising the electronic protected health information (ePHI) of approximately 3.5 million individuals.

The Legal Action against MIE

The federal Office of Civil Rights (OCR) cited MIE for HIPAA violations resulting in a $100,000 settlement. Although it’s not unusual for states to file separate privacy law charges on behalf of state residents harmed by the breach, there had never been a multistate HIPAA data breach lawsuit before. So, it was pretty eye-opening when AGs from no fewer 16 different states (including Arizona, Arkansas, Connecticut, Florida, Indiana, Iowa, Kansas, Kentucky, Louisiana, Michigan, Minnesota, Nebraska, North Carolina, Tennessee, West Virginia and Wisconsin) banded together to go after MIE in Indiana federal court.

In addition to wielding their statutory authority to enforce HIPAA, the state AGs brought claims under their respective data breach and personal information protection statutes. Result: MIE was accused of 38 separate counts of state law violations stemming from the same breach. Outnumbered and out-resourced, MIE agreed to pay $900,000 to settle all the charges. It also agreed to implement an onerous corrective action plan.

Why Labs Are Also Vulnerable

As if HIPAA and security breaches weren’t already damaging enough, the potential for multistate enforcement stemming from a single breach ups the ante exponentially. Labs are especially vulnerable given:

• Their reliance on web-based applications for ePHI management that hackers love to target; and
• The fact that they manage ePHI of residents from multiple states.