Medical Informatics Engineering Breach: The Gift That Keeps on Giving
By David Geer
Consumer data breaches earn criminals ammunition to commit identity theft and credit card fraud. Cyber miscreants have already stolen personal data from almost every American adult, according to MarketWatch. Cybercrooks reuse hijacked credentials and personal information in attacks and scams for years.
Data breaches come back to haunt organizations responsible for losing consumer data, too. In the Summer of 2015, Medical Informatics Engineering (MIE) suffered a breach of 3.9 million Electronic Personal Health Information (ePHI) records. The health records ripoff reached patients through 44 radiology clinics and 11 healthcare providers in 12 states that used the MIE WebChart web app, which held the ePHI data, according to ZDNet.
Though affected consumers sued MIE immediately, it was only the beginning for the besieged company. Three years later, the firm faces the first ever joint cross-state HIPAA lawsuit against a healthcare provider in federal court, filed by 12 states’ attorneys general, according to ZDNet. The lawsuit seeks a financial judgment, civil penalties, and the adoption of a corrective action plan to address all compliance failures, according to Calculated HIPAA. Represented states include Arizona, Arkansas, Florida, Iowa, Indiana, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina, and Wisconsin.
The reach of the breach
On June 10, 2015, Medical Informatics Engineering, an electronic health records software firm published a notice that attackers had breached patient data in its WebChart web app. The firm discovered the breach two weeks prior on May 26th; it began on May 7th.
According to cumulative news reports, cyber thieves entered the company network remotely by logging in with easily-guessed credentials. Once inside, attackers introduced an SQL injection exploit into a company database. Using information gleaned from the attack, the criminals accessed two accounts, one named “checkout” and the other “dcarlson,” which had administrative privileges. The attackers used the first account to open company databases and retrieve more than 1.1 million ePHI records. They used the second account to grab another 565,000 ePHI records. On May 25th, the attackers launched a second offensive using c99 malware to reach about 2 million more files.
Medical Informatics Engineering made egregious security missteps. The latest legal complaint by 12 attorneys general details the firm’s security deficiencies.
According to the suit, MIE enabled access to its network for a customer, using two test accounts. In both cases, the usernames and passwords were identical and easy to guess. The first account used “tester”; the second used “testing.” Any party trying these credentials could log in to the MIE network with no other authentication. MIE had set up the weak credentials, so its customer’s employees could gain access without individual usernames and passwords.
Further, MIE hired pen testing firm Digital Defense in January the year of the breach to look for vulnerabilities. The pen testers reported that the weak login credentials were high risk, but MIE did not remove them.
Digital Defense had also confirmed in 2014 that MIE’s database was vulnerable to SQL injection attacks. Though the pen testing firm recommended measures to secure the databases, MIE did not implement them.
The attorneys general’s suit further claims that MIE’s breach response was “inadequate” and “ineffective.” MIE noticed the malware-based attack on May 26th due to the stress the data transfer put on the network. But attackers continued to remove patient records from May 26th to May 28th using the administrative accounts while the company was investigating the malware attack. The company only stopped the breach when a security contractor noticed suspicious IP addresses connecting to the network.
The breadth of the burden
The breach was burdensome for consumers. According to DataBreaches.net, the ePHI records were rife with names, phone numbers, addresses, usernames, hashed passwords, and security questions and answers. The files also contained spouses, email addresses, birth dates, Social Security numbers, labs, health insurance policies, diagnoses, disability codes, doctors, medical conditions, and children’s names and birth statistics. Affected consumers faced an increased risk of phishing attacks, phone scams, stolen identities, and account hijacking.
Lawsuits, fines, and penalties
Multiple lawsuits have surfaced since the time of the breach. The courts have consolidated these suits, not counting the federal suit, into an Amended Class Action Complaint. The complaint claims the breach harmed consumers through fraudulent charges on accounts and by forcing them to spend many hours filing police reports and monitoring credit reports and credit and bank accounts. The breach victims pay for identity theft and credit monitoring services year after year. They must remain vigilant in fear of victimization for the rest of their lives since their personal and medical information was exposed, according to the complaint.
The courts expect discovery for the consolidated suit to start in February of 2019 and continue into 2020, according to case data published by the firm of Keller Rohrback. According to the HIPAA Journal, damages from one suit among the consolidated bunch could have exceeded $5 million. It will be some time before MIE sees the end of litigation from the breach.
Though HIPAA fines and penalties can range up to 1.5 million per year, according to the HIPAA Journal, there doesn’t appear to be any reference anywhere to whether or how much MIE was (or will be) fined or penalized per HIPAA or by attorneys general who can levy HIPAA penalties.
Avoid consumer data breaches
MIE experienced a devastating violation of consumer privacy, but it wasn’t the first EHR firm to endure such a blow, and it won’t be the last. With minimal effort, similar organizations can stand up identity and authentication management abilities such as Multi-factor Authentication (MFA) as part of a Zero Trust approach, keeping attackers from reaching patients’ intimate details.