The States Also Rise, or 12 Attorneys General Sue for 2015 Breach in First Case of Its Kind
By Saad Gul and Michael E. Slipsky
North Carolina joined Attorneys General from a dozen states in suing Indiana based Medical Informatics Engineering and affiliates. The complaint alleges that the companies failed to undertake reasonable measures to protect their computer systems. This failure caused a security breach in 2015. As many as 3.9 million patients had protected health information (PHI) compromised during the breach.
The compromised PHI allegedly included names, telephone numbers, addresses, usernames, hashed passwords, security questions, spousal information, email addresses, birthdates, Social Security numbers, lab results, health insurance information, diagnosis, disability codes, treating physicians, medical conditions, and child statistics.
The defendants’ alleged shortcomings include (1) failure to undertake reasonable steps to prevent the breaches; (2) failure to disclose the inadequacy of their computer systems and security processes; (3) failure to fulfill promises to protect PHI; and (4) failure to provide timely and adequate notice of the breach. The states allege that these failures led to significant harm to consumers across the nation.
For their part, the defendants insist that they were subject to a sophisticated attack, and responded promptly. They hired outside security consultants. They notified the FBI. They also instituted additional safeguards and processes.
The striking point is that the Complaint alleges the hackers infiltrated the MIE systems using rudimentary rather than sophisticated tactics. For example, the web app included generic names and passwords such as “tester” and “testing”. (The accounts were created in response to a client request). The weak password protection enabled hackers to penetrate the accounts with relative ease. The database design also allegedly left PHI vulnerable to malignant SQL queries.
The states maintain that the defendants did not address the security vulnerabilities even after security tests identified them as potential problems. For instance, the Complaint alleges that security vendor Digital Defense had warned that the generic accounts were an issue. The defendants left them in place.
Other allegations state that the defendant’s information security policies were deficient. Poor documentation was an issue. For example, the incident response plan was incomplete, with several questions indicating that it was in a coordinator or draft state. The defendants did not even document HIPAA Security and Awareness training for 2013, 2014, or 2015.
The Complaint’s allegations underscore the necessity of documenting basic security processes. Moreover, identified vulnerabilities must be addressed quickly to stave off future complaints.
Together with North Carolina, the suing states are Arizona, Arkansas, Florida, Indiana, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, and Wisconsin. They allege HIPAA violations, the violations of state laws on PHI protection, unfair and deceptive trade practices, and data breach notification.
Along with the Pennsylvania Supreme Court decision we recently analyzed, the state lawsuit signals increased exposure for data breaches. Strikingly, recent litigation is increasingly reliant on common law and statutory claims rather than privacy or cybersecurity statutes. The states seek unspecified statutory damages and civil penalties. The case is the first of its kind. It will not be the last.
Saad Gul and Mike Slipsky, editors of NC Privacy Law Blog, are partners with Poyner Spruill LLP. They advise clients on a wide range of privacy, data security, and cyber liability issues, including risk management plans, regulatory compliance, cloud computing implications, and breach obligations. Saad (@NC_Cyberlaw) may be reached at 919.783.1170 or firstname.lastname@example.org. Mike may be reached at 919.783.2851 or email@example.com.