publications full of ideas

12 Attorneys General Sue for 2015 Breach in First Case of Its Kind

1.8.2019

North Carolina joined Attorneys General from a dozen states in suing Indiana based Medical Informatics Engineering (MIE) and affiliates. The complaint alleges that the companies failed to undertake reasonable measures to protect their computer systems. This failure caused a security breach in 2015. As many as 3.9 million patients had protected health information (PHI) compromised during the breach.

The compromised PHI allegedly included names, telephone numbers, addresses, usernames, hashed passwords, security questions, spousal information, email addresses, birthdates, Social Security numbers, lab results, health insurance information, diagnoses, disability codes, treating physicians, medical conditions, and child statistics.

The defendants’ alleged shortcomings include (1) failure to undertake reasonable steps to prevent the breaches; (2) failure to disclose the inadequacy of their computer systems and security processes; (3) failure to fulfill promises to protect PHI; and (4) failure to provide timely and adequate notice of the breach. The states allege that these failures led to significant harm to consumers across the nation.

For their part, the defendants insist that they were subject to a sophisticated attack, and responded promptly. They hired outside security consultants. They notified the FBI. They also instituted additional safeguards and processes.

The striking point is that the Complaint alleges the hackers infiltrated the MIE systems using rudimentary rather than sophisticated tactics. For example, the web app included generic names and passwords such as “tester” and “testing”. (The accounts were created in response to a client request). The weak password protection enabled hackers to penetrate the accounts with relative ease. The database design also allegedly left PHI vulnerable to malignant SQL queries.

The states maintain that the defendants did not address the security vulnerabilities even after security tests identified them as potential problems. For instance, the Complaint alleges that security vendor Digital Defense had warned that the generic accounts were an issue. The defendants left them in place.

Other allegations state that the defendant’s information security policies were deficient. Poor documentation was an issue. For example, the incident response plan was incomplete, with several questions indicating that it was in a coordinator or draft state. The defendants did not even document HIPAA Security and Awareness training for 2013, 2014, or 2015.

The Complaint’s allegations underscore the necessity of documenting basic security processes. Moreover, identified vulnerabilities must be addressed quickly to stave off future complaints.

Together with North Carolina, the suing states are Arizona, Arkansas, Florida, Indiana, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, and Wisconsin. They allege HIPAA violations, the violations of state laws on PHI protection, unfair and deceptive trade practices, and data breach notification.

Along with the Pennsylvania Supreme Court decision we recently analyzed, the state lawsuit signals increased exposure for data breaches. Strikingly, recent litigation is increasingly reliant on common law and statutory claims rather than privacy or cybersecurity statutes. The states seek unspecified statutory damages and civil penalties. The case is the first of its kind. It will not be the last.

Physical Address: 301 Fayetteville Street, Suite 1900, Raleigh, NC 27601 | © Poyner Spruill LLP. All rights reserved.

related information

what's new at the firm

Poyner Spruill names new partner, welcomes three new attorneys to strengthen North Carolina practice

1/16/2019

RALEIGH, N.C. — Poyner Spruill LLP, a commercial law firm with offices across North Carolina, is pleased to announce the firm has named Emily Meeker a partner of the firm while also welcoming three new attorneys, one of whom is returning after serving in an in-house counsel role with a healthcare company.

Our Voices - Cultivating Leadership: An Intimate Discussion with Leaders in our Communities

1/14/2019

The Poyner Spruill Diversity Committee is celebrating Black History Month by hosting an intimate panel discussion with key leaders who have been successful in the legal field. The hour-long discussion will focus on how young minorities can navigate the legal industry and position themselves as leaders in their respective communities. Diversity is critical for an organization to be able to adapt in a fast-changing environment. The panel will shed light on the challenges of attaining meaningful diversity and create discussion and generate ideas on how to continue advancing diversity within the legal industry.

Eight attorneys earn distinction in Business North Carolina's 2019 Legal Elite

1/2/2019

RALEIGH, N.C. — Poyner Spruill LLP is proud to announce that eight attorneys received a total of nine recognitions as members of Business North Carolina’s 2019 class of Legal Elite. This included Keith Johnson becoming a member of the Business North Carolina’s Legal Elite Hall of Fame for Environmental attorneys.

p.s. Lunch & Learn: How Certain Tax Changes Could Impact Your Personal Life

12/20/2018

The Tax Cuts and JOBS Act will affect divorce, estate planning, and much more. Join us to learn what you can do to mitigate the impact.

Poyner Spruill named a firm of the year winner in Lawyer Monthly Legal Awards 2018

12/13/2018

RALEIGH, N.C. — Poyner Spruill is pleased to have earned recognition in the Lawyer Monthly Legal Awards 2018 as the Administrative and Environmental Law Firm of the Year for the United States.