Christopher Draven, Client Experience at Umbrella Managed Systems
Medical Informatics Engineering (MIE), a healthcare technology solutions provider, was named in a multi-State lawsuit filed earlier this month. Servers used by WebChart, an EHR solution offered by MIE, was breached in 2015. The security compromise included the release of personal information, date of birth, social security numbers, health insurance details, and medical information.
The Allegations
Filed by twelve (12) Attorneys General from across the U.S., the lawsuit alleges that MIE:
- Suffered a data breach, where hackers had access to the Protected Health Information (PHI) of approximately 3.9 Million individuals. More than 1.5 Million records were extracted from the system.
- Knowingly fostered a security framework that allowed the breach to occur, by failing to take adequate and reasonable security measures.
- Failed to disclose material facts related to the breach.
- Did not notify impacted individuals timely – taking nearly six months to conclude the notifications.
The States involved in the action include Arizona, Arkansas, Florida, Indiana, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina, and Wisconsin.
The Takeaway
If you set aside the security framework issues, the lawsuit touches on a recurring theme at the center of many breaches – failure to document and enforce processes and policies. Understanding how to properly document and enforce security policies is a critical component to remaining compliant. Many organizations skip this step, which can lead to an ineffective security awareness culture.
Equifax – Another Example
Another widely publicized and more egregious example of a preventable data breach is Equifax. The House Oversight Committee released its investigative report, and the committee held nothing back. The report detailed alleges a litany of wrongdoings, including failure to patch known server vulnerabilities – and the unforgivable sin of leaving an unsecured file, with passwords to over 48 databases full of unencrypted data, laying around on a server.
How Umbrella Can Help – ITMS 3.0
Knowing your system vulnerabilities and planning for the worst is how you prevent or recover from a data breach. The Umbrella ITMS 3.0 program can help your business improve system resiliency and put safeguards in place to combat cyber-attacks.
At a high-level, the program offers:
- Drive Encryption
- Two-Factor Authentication (2FA)
- Next Generation Firewall Security
- Security Awareness Training
- Advanced Email Security and Encryption
ITMS 3.0 was built with security in mind. We partner clients to identify and eliminate security vulnerabilities, because properly securing your system is not only wise but also a regulatory concern. Plus, going beyond the technology, ITMS 3.0 gives clients access to tailored policy documentation, which helps to establish required policies and processes. Interested? Please get in touch.
For more information about the EHR Breach, refer to the SecurityWeek.com article, or the Official Complaint/Lawsuit Filing.
For more information about the House Oversight Committee findings on Equifax, refer to the TechCrunch.com article, or the Oversight Committee Report.