A 2015 hack of Medical Informatics stayed in the headlines for quite a while because it compromised the data, including health information, of 3.9 million people. In addition to suits filed by consumers, state attorneys general have also sued the business associate, as Dave Gong reports:
Fort Wayne-based Medical Informatics Engineering Inc. failed to secure their computer systems, resulting in a data breach, which compromised the data of more than 3.9 million people, a 12-state lawsuit filed by Indiana Attorney General Curtis Hill alleges.
[…]
Other states involved in the litigation are Arizona, Arkansas, Florida, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina and Wisconsin. Indiana’s portion was filed in the U.S. District Court for the Northern District of Indiana.
When looking at the claims, keep in mind 2015 standards.
“Defendants failed to implement basic industry-accepted data security measures to protect individuals’ health information from unauthorized access,” the lawsuit states. “Defendants set up a generic ‘tester’ account called ‘testing’ with a shared password of ‘testing.’ In addition to being easily guessed, these generic accounts did not require a unique user identification and password in order to gain remote access.”
According to the lawsuit, the company did not put in place an active security system to alert employees to possible hacking attempts. Additionally, the lawsuit contends that the company did not encrypt sensitive personal information within its own computer system, “a protection that, had it been employed, would have rendered the data unusable.”
Curiously, perhaps, the HHS breach tool lists the Medical Informatics breach under archived incidents or incidents older than 24 months, but they show no web description or outcome of any investigation. Assuming for now that they even opened an investigation into this incident, is this still under investigation by HHS?
Read more on The Journal Gazette.