Attorney General HIPAA fines have been on the increase over the past few years, and the trend is only growing. With this unprecedented HIPAA fine, Attorneys General across twelve states have filed suits against an EHR platform for a breach of over 3.9 million individuals’ protected health information (PHI).
On December 3, 2018, twelve Attorneys General collectively filed a security breach lawsuit against Medical Informatics Engineering, the parent company of NoMoreClipboard LLC, which is an Indiana-based electronic health records (EHR) provider. Attorney General Curtis Hill of Indiana led the lawsuit, along with Attorneys General from Arizona, Arkansas, Florida, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina, and Wisconsin.
While state Attorney General HIPAA fines have been used to demonstrate their civil enforcement authorities under HIPAA in the past, this is the first instance where states have “teamed-up” in pursuing HIPAA lawsuits in federal court. This collaboration seems to suggest an uptick in state officials exercising their data protection authorities to improve cybersecurity incidents, which may continue in the years ahead.
The lawsuit stems from a May 2015 data breach where 3.9 million individuals’ protected health information (PHI) was stolen from the Company’s systems. Over the course of 19 days, hackers were able to invade the EHR platform’s computer systems and steal names, identifying information, passwords, security questions and answers, family information, Social Security numbers, lab results, and more.
The Attorneys General argue that the EHR platform failed to enforce proper security measures to protect its computer systems appropriately, take steps to prevent the breach, disclose material facts to consumers, provide sufficient notice, and more. The complaint suggests that the EHR provider failed to implement basic security standards to protect PHI from unauthorized access and did not have adequate controls in place.
The post-breach response was also viewed as “inadequate and ineffective,” which was another major point addressed in the complaint. While the EHR platform was investigating the attack, hackers were still able to access an additional 30,000 patient records with authorized credentials through the use of SQL queries. In addition, the EHR platform had an incomplete and ineffective incident response plan.
According to the Attorneys General, the Company notified affected patients 50 days after the breach was discovered, but did not conclude notifications until December. In summary, the EHR provider did not have a security infrastructure established–all of which could have been avoided if the EHR provider had an effective HIPAA compliance program in place. Under HIPAA regulation, EHR platforms like NoMoreClipboard are considered business associates and must be HIPAA compliant.
For healthcare professionals, HIPAA compliance is a fundamental to ensure the privacy and security of PHI and avoid Attorney General HIPAA fines. The HIPAA Security Rule outlines technical, physical, and administrative safeguards that must be addressed in order to safeguard the confidentiality, integrity, and availability of PHI. In order to address security properly, EHR providers like NoMoreClipboard must abide by the security standards outlined in the regulation. The moral of this story for the EHR platform is that if they had an effective compliance program in place, they would have had the security measures they needed to secure the ePHI they handled.
Not only do the Attorneys General seek monetary penalties, but they require the company to: implement a written information security program, not employ generic accounts, require multi-factor authentication, implement an incident management program, perform a risk analysis and provide a report to Attorney General Curtis Hill of Indiana, among other necessary things.