February 2019

In December 2018, twelve state Attorneys General ("AGs") jointly filed suit  against Medical Informatics Engineering, Inc. (“MIE”) claiming it violated the Health Insurance Portability and Accountability Act and its related regulatory framework (collectively “HIPAA”), as well as various state laws. 

Brief Summary of the Data Breach

In May 2015, a threat actor identified two publicly accessible accounts that MIE used to test its system. These accounts had very simple and common usernames and passwords that matched the username, which the threat actor either guessed or programmatically cracked. Once inside, the threat actor launched a SQL injection, a well-known and unsophisticated type of attack that’s been perpetrated for at least a decade, to repeatedly query and obtain credentials for two other accounts. These subsequent accounts had administrator privileges, which gave them access to the system and the ability to exfiltrate unencrypted data.  

View the full alert here.