Catalin Cimpanu has a good write-up about the multistate lawsuit against Medical Informatics that I noted earlier this week:
Attorneys general from twelve US states have joined together to file the first-ever joint cross-state HIPAA lawsuit against a healthcare provider that got hacked in the summer of 2015.
The lawsuit, filed in an Indiana court on Monday, alleges that Medical Informatics Engineering and its subsidiary NoMoreClipboard –collectively known and doing business as MIE– had “failed to take adequate and reasonable measures to ensure their computer systems were protected.”
Catalin bulletpoints the alleged security failures in a way that indicates that MIE had been warned/advised not to use certain generic accounts, but continued to use them anyway (because a client requested it), and that failure combined with sqli attacks returning helpful error messages ultimately enabled attackers to exfiltrate massive amounts of data. And to compound problems, MIE allegedly did not have an appropriate monitoring and notification system in place that would detected the attack sooner and prevented much of the data exfiltration.
Read more on ZDNet. As I noted the other day when I first reported on this development, it is not clear whether HHS/OCR ever closed their investigation of this breach. Based on what I’m reading now, it seems likely that HHS will sit back and let the states handle this one.