EHR vendors, users: Beware the attorney general breach investigation

It's significant that the cyberattack Medical Informatics Engineering (MIE) suffered in May appears to be worse than originally thought. It has now been revealed that 11 of MIE's provider clients, plus 44 radiology centers, have been impacted by the data breach, affecting 3.9 million people nationwide. The type of data compromised is a treasure trove for the hackers, including not only demographic information, but also Social Security numbers, medical information and even family member data.

But what is also significant is that it's the Indiana Attorney General's office, not the Department of Health and Human Services' Office for Civil Rights (OCR), that's investigating the breach.

OCR investigates a lot of data breaches, but resolves the vast majority of them quietly and informally. It has issued only one civil monetary penalty and 25 formal resolution agreements, and typically does so only when it finds multiple security issues and wants to send a message to the industry. For instance, its latest resolution agreement was with a hospital which, among other things, failed to protect electronic patient data on an unsecured data storage Internet application. OCR actually began its investigation in 2013, but didn't make it public until the settlement was announced last month.

It's a different story when state attorneys general get involved in security breaches.

For one, attorneys general are more vocal about their investigations. The Indiana Attorney General has already made it public that MIE is under investigation. When warranted, the Attorney General then sues the violator, also publicly. MIE is going to be in the limelight throughout the process.

Also, attorneys general have been known to expand their investigations. The Minnesota Attorney General, investigating debt collector company Accretive Health after a data breach, widened its investigation to two hospitals that had hired Accretive after discovering that the hospitals gave Accretive more than the minimum necessary for it to do its job (also a HIPAA violation). The Indiana Attorney General--the same one investigating MIE--fined a dentist $12,000 earlier this year for a breach caused by the company he hired to dispose of patient records after it was discovered that the company tossed them into public dumpster. And this was even though he was no longer in practice.

Plus, attorneys general aren't limited to pursuing HIPAA violations. They can also investigate for violations of state law. The Illinois Attorney General is suing FileFax for improper disposal of a medical group's patient records on the grounds that it violated state laws.

And the attorneys general appear to have no qualms targeting business associates, unlike the federal government, which is more focused on plans and providers, and has tabled its investigations of cloud electronic health record vendors' security processes.

The MIE investigation may set a precedent for EHR vendors and the providers who use them. The attorney general may be the first to really delve into how MIE protected--or didn't protect--patient data in the cloud.

We do have a clue about what the attorney general might find. It sounds like MIE was on top of the cyberattack, discovering it three weeks after it apparently began. But its notice also indicates that its data security wasn't as strong has it could have been. According to its updated notice:   

"We are continuing to take steps to remediate and enhance the security of our systems. Remedial efforts include removing the capabilities used by the intruder to gain unauthorized access to the affected systems, enhancing and strengthening password rules and storage mechanisms, increased active monitoring of the affected systems, and intelligence exchange with law enforcement. We have also instituted a universal password reset." 

A lawsuit has already been filed against MIE, claiming that it ignored warning signs that its security system is inadequate.

The MIE breach will serve as an example for other cloud EHR vendors regarding the extent they protect patient records and are in compliance with the law.

It also should serve as a guide for providers who use, or are considering using, a cloud vendor to determine who to entrust patient information with--or not. - Marla (@MarlaHirsch and @FierceHealthIT)