MIE WebChart EHR multi state AG filing
Dozens of states have apparently filed a federal lawsuit against Medical Informatics Engineering, Inc (MIE) and its subsidiary NoMoreClipboard LLC. This will be the first time state AG’s have jointly sought a HIPAA based case in federal court.
MIE’s WebChart EHR application had been hacked in 2015. The case claims MIE had a generic “tester” account which utilized a shared password of “tester” and also another called “testing” with “testing” as the password. Digital Defense had flagged these as high risk in an earlier audit (Jan 2015.) While the “tester” account did not have elevated privileges, it did allow a SQL injection attack which returned error messages from queries allowing details into the database structure. The hacker in 2015 apparently was able to access the “checkout” account which did indeed have elevated privileges and exfiltration of approximately 1.1M patient records.
The case seeks HIPAA corrective actions as well as financial judgments, civil penalties, and injunctive relief. The company not only violated provisions of the Health Insurance Portability and Accountability Act (HIPAA) but also violated many state laws such as the Arkansas state deceptive trade practices law, notice of data breach statues, and personal information protection acts.
]]>