Most countries have some form of legislation detailing how corporations, state departments, and in certain instances, private individuals must make cybersecurity a priority. These pieces of legislation more often than not specify how data and networks are to be protected and if not done according to legislation how the powers that be can punish those found to be negligent. This punishment is often meted out in the form of massive fines, which can easily hit the hundreds of millions mark. For the first in time in United States legal history, twelve states have jointly filed a lawsuit in a data breach case. The twelve states have filed a lawsuit in accordance with the Health Insurance Portability and Accountability Act (HIPAA) in response to a data breach which occurred in 2015. HIPAA is a piece of legislation enacted in the US that provides data privacy and security provisions for safeguarding medical information. The law has emerged into greater prominence in recent years with the proliferation of health data breaches caused by cyber attacks and ransomware attacks on health insurers and providers. Compliance with the law is seen as non-negotiable with legislators and the relevant enforcement bodies.
Medical Informatics Engineering Breach
The lawsuit, which was filed in Indiana on December 3 alleges that Medical Informatics Engineering and its subsidiary NoMoreClipboard had “failed to take adequate and reasonable measures to ensure their computer systems were protected.” Further, the papers filed with the court allege that because of the failings hackers gained access to MIE WebChart web app, from where they gained access and stole the personal details of 3.9 million US citizens who visited 11 healthcare providers and 44 radiology clinics that managed patient data via the WebChart app.
According to a press release issued by Medical Informatics Engineering (MIE) in 2015 the stolen data included names, phones, home addresses, dates of birth, Social Security numbers, email addresses, passwords, usernames, security questions, but also healthcare information such as lab results, diagnoses, medical conditions, disability codes, medical records, health insurance information, and even information on patients' family members. In other words, the hackers managed to find the treasure trove below where “x” marked the spot.
The vast majority of individuals affected resided in Indiana but users in other states were affected. This has led the states of Arizona, Arkansas, Florida, Iowa, Indiana, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina, and Wisconsin to file the lawsuit. In a copy of the lawsuit acquired by ZDNet it is believed that officials employed by MIE failed on several fronts when it came to implementing “basic industry-accepted data security measures,” as set out in HIPAA. The lawsuit itself covers a large of instances where it is alleged MIE was negligent, some of the more serious allegations are included below:
- On May 25, 2015, the attacker initiated a second method of attack by inserting malware called a “c99” cell on Defendants' system. This malware caused a massive number of records to be extracted from Defendants' databases. The huge document dump slowed down network performance to such an extent that it triggered a network alarm to the system administrator. The system administrator investigated the event and terminated the malware and data exfiltration on May 26, 2015.
- Defendant's post-breach response was inadequate and ineffective.
- While the c99 attack was being investigated, the attacker continued to extract patient records on May 26 and May 28, using the privileged “checkout” credentials acquired through the use of the SQL queries. On those two days, a total of 326,000 patient records were accessed.
- The breach was not successfully contained until May 29, when a security contractor hired by Defendant identified suspicious IP addresses which led the contractor to uncover the principal SQL attack method.
- Defendants failed to implement and maintain an active security monitoring and alert system to detect and alert on anomalous conditions such as data exfiltration, abnormal administrator activities, and remote system access by unfamiliar or foreign IP addresses.
- The significance of the absence of these security tools cannot be overstated, as two of the IP addresses used to access Defendants' databases originated from Germany. An active security operations system should have identified remote system access by an unfamiliar IP address and alerted a system administrator to investigate.
While only a small section of instances where attorneys believe the company to be negligent the timing of this lawsuit could be considered a warning to those who recently experienced massive data breaches.
Marriot and Quora Breaches
Earlier this month hotel giant Marriot Hotels announced that it had exposed the sensitive data of approximately 327 million people. The exposed data included names, addresses and passport numbers. Marriot is yet to announce how the breach occurred but regardless since the announcement company stocks had fallen 5.6% following the announcement. This loss is only the tip of the iceberg as the company may not be bound HIPAA but they are bound by numerous other regulations designed to protect an individual’s data.
This was not the only high profile breach to make headlines. Shortly after the Marriot breach was announced popular question and answer platform Quora announced they too had suffered a data breach. In this instance, approximately 100 million Quora users’ data was exposed. The exposed data included names, email addresses, encrypted passwords, and data imported from linked networks when authorized by users. Further users activity on the platform was also exposed. Quora, like Marriot, is yet to say the exact cause of the breach. Breaches occur, that is the reality of having important details saved for convenience sake and more breaches to large firms will happen. However, thanks to legislation, companies have to comply with a set of security standards intended to protect data. It is far too early to tell if Marriot or Quora were negligent in this duty but more than a few attorneys will be following the MIE case closely.