Case Study – Simple Passwords Lead to a $100,000 HIPAA Violations

Passwords are the primary method we have for defending our sensitive data. We use them on our mobile devices, our computers, online accounts such as Facebook, banking, Amazon, and also for ATM cards. Passwords are everywhere. When we use simple passwords, we have made the attacker’s job a lot easier. By making our passwords easy to break, this increases the likelihood of a successful breach. One truism in security is that the attacker only needs to be right once while the defenders have to be right every time. This is true with passwords. One simple password can compromise an entire network and the attacker only needs to break that one account. That is what happened in this week’s case study and it cost the victim $100,000.

What happened?

On May 7th, 2015, Medical Information Engineering, Inc (MIE) was the victim of a hacker attack. MIE is an Indiana-based company that provides electronic medical records (EMR) software and other related services to providers. The hacker was able to compromise a single user account at MIE to gain access to a server. This server contained the records of the patients that belong to provider customers of MIE. The hacker accessed the network from May 7th until May 26th, a period of 19 days.

MIE notified OCR of the breach on July 26th, 2015. This triggered an investigation by OCR into the breach.

What was the result?

3.5 million patient records were improperly exposed to the attacker as a result of the breach. It is not clear if the records were stolen or simply accessed, but regardless, both are HIPAA violations.

OCR investigated and discovered that in addition to using simple passwords, MIE had not done a proper Risk Assessment to identify the areas in its business that needed to be addressed. Failure to perform a Risk Assessment is a violation of HIPAA Security Rule 45 C.F.R. § 164.308(a)(l)(ii)(A)

OCR fined MIE $100,000 and prescribed a corrective action plan that must include a Risk Assessment. Any deficiencies found by the assessment must be addressed and corrected.

MIE accepted the settlement with no admission of guilt.

You can read the OCR resolution here.

In addition to the OCR investigation, 12 state attorneys general filed a lawsuit against MIE for the breach. This case was filed in December 2018 and is pending. The lawsuit alleges that MIE failed to perform a Risk Assessment, use proper security controls, use encryption to protect data, provide security awareness training to employees, and patching existing vulnerabilities.

What are simple passwords?

Simple passwords are those that are easy for an attacker to break. These include common passwords like:

  • 123456
  • love
  • qwerty
  • password

Characteristics of simple passwords

  • Passwords less than 8 characters long
  • Not using both upper and lower letters
  • Not using numbers
  • Using common or easily guessed passwords – if it’s in the English language, you shouldn’t be using it

Another bad habit many users have is to use the same password for multiple websites or computers. It’s easy to remember so why not use it everywhere? Because once it is compromised, it means that the attacker can use that password to gain access to all the accounts you use that password on. Using a unique password for everything you have is critical.

We have written an extensive page on how to create strong passwords that can be read here. However, for a quick and dirty explanation, try this method. Choose 4 or more random words together. For example:

horse carrot thermometer pipe

That password is 26 characters long. If you added a number, capitalized one of the letters, and added a special character, you would have a very strong password. Its also a lot easier to remember. This password would be nearly impossible to break.

One of the best ways to ensure you always use strong passwords is to use a password manager like LastPass. LastPass will generate unique passwords for each of your online accounts and make them completely random. This ensures that you aren’t using the same password over and over for your sites. It also makes sure you are creating very strong and unbreakable passwords. LastPass stores your passwords in an encrypted database that even it can’t access.

LastPass is free and can be found here.