publications full of ideas

12 Attorneys General Sue for 2015 Breach in First Case of Its Kind

1.8.2019

North Carolina joined Attorneys General from a dozen states in suing Indiana based Medical Informatics Engineering (MIE) and affiliates. The complaint alleges that the companies failed to undertake reasonable measures to protect their computer systems. This failure caused a security breach in 2015. As many as 3.9 million patients had protected health information (PHI) compromised during the breach.

The compromised PHI allegedly included names, telephone numbers, addresses, usernames, hashed passwords, security questions, spousal information, email addresses, birthdates, Social Security numbers, lab results, health insurance information, diagnoses, disability codes, treating physicians, medical conditions, and child statistics.

The defendants’ alleged shortcomings include (1) failure to undertake reasonable steps to prevent the breaches; (2) failure to disclose the inadequacy of their computer systems and security processes; (3) failure to fulfill promises to protect PHI; and (4) failure to provide timely and adequate notice of the breach. The states allege that these failures led to significant harm to consumers across the nation.

For their part, the defendants insist that they were subject to a sophisticated attack, and responded promptly. They hired outside security consultants. They notified the FBI. They also instituted additional safeguards and processes.

The striking point is that the Complaint alleges the hackers infiltrated the MIE systems using rudimentary rather than sophisticated tactics. For example, the web app included generic names and passwords such as “tester” and “testing”. (The accounts were created in response to a client request). The weak password protection enabled hackers to penetrate the accounts with relative ease. The database design also allegedly left PHI vulnerable to malignant SQL queries.

The states maintain that the defendants did not address the security vulnerabilities even after security tests identified them as potential problems. For instance, the Complaint alleges that security vendor Digital Defense had warned that the generic accounts were an issue. The defendants left them in place.

Other allegations state that the defendant’s information security policies were deficient. Poor documentation was an issue. For example, the incident response plan was incomplete, with several questions indicating that it was in a coordinator or draft state. The defendants did not even document HIPAA Security and Awareness training for 2013, 2014, or 2015.

The Complaint’s allegations underscore the necessity of documenting basic security processes. Moreover, identified vulnerabilities must be addressed quickly to stave off future complaints.

Together with North Carolina, the suing states are Arizona, Arkansas, Florida, Indiana, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, and Wisconsin. They allege HIPAA violations, the violations of state laws on PHI protection, unfair and deceptive trade practices, and data breach notification.

Along with the Pennsylvania Supreme Court decision we recently analyzed, the state lawsuit signals increased exposure for data breaches. Strikingly, recent litigation is increasingly reliant on common law and statutory claims rather than privacy or cybersecurity statutes. The states seek unspecified statutory damages and civil penalties. The case is the first of its kind. It will not be the last.

Physical Address: 301 Fayetteville Street, Suite 1900, Raleigh, NC 27601 | © Poyner Spruill LLP. All rights reserved.

related information

what's new at the firm

Employee Benefits Day Webinar: Executive Compensation

3/12/2019

Attracting and retaining executives and key employees is critical to an organization's success. As a result, offers of employment often come with special perks and promises. These additional benefits are essential in attracting the executive, but can create unintended liabilities. This session will identify common issues associated with executive compensation arrangements, discuss the potential liability, and provide practical tips to allow you to spot potential issues before they become liabilities.

Poyner Spruill’s First Ever NCAA Tournament Party

3/12/2019

This year we will be hosting our first annual NCAA Party!

Mayo named Client Choice Award winner in North Carolina

2/19/2019

RALEIGH, N.C. — Poyner Spruill partner Kelsey Mayo has been named the 2019 Client Choice Award winner in the Employment & Benefits category for North Carolina.

Terminating Employment: Best Practices to Navigate the Termination Minefield

2/13/2019

How an employer manages an employment termination is often the determinative factor in whether an employee sues for wrongful termination. This webinar discussion focuses upon best practices that should be used to minimize frequency of post-termination lawsuits, severance and release considerations, and essential planning and documentation for termination of an employee.

WEBINAR: The Regulators’ Update

2/7/2019

Leadership of the N.C. Adult Care Licensure Section, along with members of the p.s. Health Law Team, will present an update on adult care home survey and regulatory issues, including new developments in regulatory interpretation and application during surveys by the Adult Care Licensure Section.