attacker had done, and stop the data from being stolen.
MIE failures were not limited to pure technical issues; they also
existed at an administrative level. The breach investigation revealed that MIE was aware of these weaknesses and the risks they
posed well before the breach but had not taken steps to remediate the issues. In the time leading up to the breach, MIE had conducted at least two penetration tests that flagged the issues—one
that flagged the two accounts’ credentials and another that had
identified the SQL susceptibility. Both penetration tests not only
flagged the issues but also identified them as high risks.
Legal Framework and MIE’s Compliance Failures
In their complaint, the AGs allege that MIE failed to comply with
a number of legal requirements. They point specifically to violations of HIPAA Privacy and Security Rules and state law requirements that require companies to maintain reasonable security
measures, notify individuals of a breach in a timely manner, and
accurately state the level of security that a company has for the
data it maintains.
HIPAA Technical Security Requirements
Also, in the complaint the AGs claim that MIE’s security protections do not meet the standards of multiple HIPAA Security Rule
standards. In their Complaint, the AGs allege that MIE failed to
comply with numerous HIPAA Security Rule violations, including:
Failing to review and modify security measures needed to
maintain a reasonable and appropriate level of protection
Maintaining insufficient security measures to reduce risks
and vulnerabilities to a reasonable and appropriate level
Failing to regularly review records of information system activity
Lacking mechanisms that record and examine activity in
Failing to identify and track users’ access as well as authenticating users and not managing their access
Not adequately encrypting the data it stored
With the complaint, the State AGs highlight the absence of an ac-
tive security monitoring and alert system. Per the complaint, not
having these types of protections is significant because had they
been in place they would have alerted MIE to the presence of sus-
picious remote connections long before the network slowdown.
The lack of this system would, therefore, be a potential violation of
the Security Rule because MIE failed to review and modify security
measures needed to maintain a reasonable and appropriate level
of protection over electronic protected health information, imple-
ment security measures sufficient to reduce risks and vulnerabili-
ties to a reasonable and appropriate level, implement procedures
to regularly review records of information system activity, and im-
plement mechanisms that record and examine activity in informa-
tion systems, all of which are required by the regulations.
The complaint also faults MIE’s lack of controls around how us-
ers accessed the network, including not identifying and tracking
users, not authenticating users, and not managing user’s access,
all of which is also required by the Security Rule. Finally, the AGs
identified the lack of encryption of the data that was exfiltrated as
a final violation of the Security Rule’s technology requirements.
HIPAA Administrative Requirements
In addition to the technical safeguard issues, the AGs cited MIE
with deficiencies in meeting required administrative safeguards.
The complaint specifically makes note of MIE’s flawed incident
response process and its non-finalized and incomplete incident
response plan. The AGs deem this to be a violation of HIPAA’s
requirement to have such a process in place and allude to the
fact that the state of the incident response plan is representative
of the quality of MIE’s other policies and procedures. Similarly,
the fact that MIE conducted risk analyses but did not remediate the risks that those analyses revealed is yet another administrative violation. Finally, the AGs’ position is that the lack of
controls on the amount of information that was accessible using the compromised accounts is an indication that MIE does
Historic State AG