A first of its kind lawsuit filed by 12 states just revealed years of cybersecurity failures and ignored warnings.
Here at SecureWorld, we've heard plenty of hacking horror stories, but this one is made to sound so bad you could call it a Nightmare on Cybersecurity Street.
In this case, a hacker exfiltrated the electronic Protected Health Information (“ePHI”) of 3.9 million patients.
And the lawsuit against Medical Informatics Engineering, which ran a digital clipboard service for medical providers, puts the blame on the company's utter lack of security for making it possible. From page 1:
"In fostering a security framework that allowed such an incident to occur (ouch, that hurts)... Defendants failed to take adequate and reasonable measures to ensure their computer systems were protected, failed to take reasonably available steps to prevent the breaches, failed to disclose material facts regarding the inadequacy of their computer systems and security procedures to properly safeguard patients’ personal health information, failed to honor their promises and representations that patients’ personal health information would be protected, and failed to provide timely and adequate notice of the incident, which caused significant harm to consumers across the United States."
That's a whole lot of "failed to" statements leveled against one organization's IT security efforts.
States' lawsuit over data breach details specific IT security failures
The list of specific InfoSec failures runs the gamut from pre-hack to breach notification.
Here are the specific cybersecurity failures which Medical Informatics Engineering (MIE) and its NoMoreClipboard service are accused of:
-
Defendants failed to implement basic industry-accepted data security measures.
-
Defendants set up a generic “tester” account which could be accessed by using a shared password called “tester” and a second account called“testing” with a shared password of “testing."
-
In addition to being easily guessed, these generic accounts did not require a unique user identification and password in order to gain remote access.
-
Defendants did not have appropriate security safeguards or controls in place to prevent exploitation of vulnerabilities within their system.
-
The “tester” account did not have privileged access but did allow the attacker to submit a continuous string of queries, known as a SQL injection attack, throughout the database as an authorized user. The queries returned error messages that gave the intruder hints as to why the entry was incorrect, providing valuable insight into the database structure.
-
The vulnerability to an SQL injection attack was identified as a high risk during a penetration test performed by Digital Defense in 2014. Digital Defense recommended that Defendant “take appropriate measures to implement the use of parameterized queries, or ensure the sanitization of user input." Despite this recommendation, Defendants took no steps to remedy the vulnerability.
-
The intruder used information gained from the SQL error messages to access the“checkout” account, which had administrative privileges.
-
The “checkout” account was used to access and exfiltrate more than 1.1 million patient records from Defendants’ databases.
-
The SQL error exploit was also used to obtain a second privileged account... [which was] used to access and exfiltrate more than 565,000 additional records.
-
The attacker initiated a second method of attack by inserting malware called a “c99” cell on Defendants’ system. This malware caused a massive number of records to be extracted from Defendants’ databases.
-
The huge document dump slowed down network performance to such an extent that it triggered a network alarm to the system administrator.
-
Defendant’s post-breach response was inadequate and ineffective. While the c99 attack was being investigated, the attacker continued to extract patient records on May 26 and May 28, using the privileged “checkout” credentials acquired through use of the SQL queries. On those two days, a total of 326,000 patient records were accessed.
-
Defendants failed to implement and maintain an active security monitoring and alert system to detect and alert on anomalous conditions such as data exfiltration, abnormal administrator activities, and remote system access by unfamiliar or foreign IP addresses. [Note: Two of the IP address involved in the attack were foreign.]
-
Defendants failed to encrypt the sensitive personal information and ePHI within MIE’s computer systems.
-
The incident response plan provided by Defendants was incomplete. There are several questions posed in the document that indicate it is still in a coordination or draft stage.
-
There is no documented evidence or checklist to indicate that Defendants followed their own incident response plan.
-
Finally, there is no documentation that Defendants conducted HIPAA Security and Awareness training for 2013, 2014, or 2015, prior to the breach.
-
Defendants did not conclude mailing notification letters until... six months after the breach discovery date.
Arizona, Arkansas, Florida, Iowa, Indiana, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina, and Wisconsin are the states suing the company over its poor security resulting in millions of HIPPA privacy violations. Here is the complete lawsuit against Medical Informatics Engineering.
If these allegations are true, the company may have a hard time proving it has what courts and counsel are looking for: reasonable cybersecurity.
[RELATED: Our special report, How Courts and Attorneys View Reasonable Cybersecurity]
