EHR vendors, users: Beware the attorney general breach investigation

Marla Durben Hirsch | Fierce EMR | August 5, 2015

It's significant that the cyberattack Medical Informatics Engineering (MIE) suffered in May appears to be worse than originally thought. It has now been revealed that 11 of MIE's provider clients, plus 44 radiology centers, have been impacted by the data breach, affecting 3.9 million people nationwide. The type of data compromised is a treasure trove for the hackers, including not only demographic information, but also Social Security numbers, medical information and even family member data.

But what is also significant is that it's the Indiana Attorney General's office, not the Department of Health and Human Services' Office for Civil Rights (OCR), that's investigating the breach.

OCR investigates a lot of data breaches, but resolves the vast majority of them quietly and informally. It has issued only one civil monetary penalty and 25 formal resolution agreements, and typically does so only when it finds multiple security issues and wants to send a message to the industry. For instance, its latest resolution agreement was with a hospital which, among other things, failed to protect electronic patient data on an unsecured data storage Internet application. OCR actually began its investigation in 2013, but didn't make it public until the settlement was announced last month. It's a different story when state attorneys general get involved in security breaches...