AG Curtis Hill obtains consent judgment in first-ever multistate HIPAA-related data breach lawsuit

Indiana Attorney General Curtis Hill announced this week that a U.S. district court judge has signed a consent judgment negotiated between 16 state attorneys general and a Fort Wayne web-based electronic health records company that allegedly sustained a data breach compromising the data of more than 3.9 million people.

Hill

In December of 2018, Indiana led a multistate lawsuit against the company – Medical Informatics Engineering Inc. and NoMoreClipboard LLC (collectively “MIE”). This case was the nation’s first-ever multistate lawsuit involving a HIPAA-related data breach.

With the signing of the consent judgment, the 16 states will receive $900,000 in payments due to the defendants’ conduct. Indiana’s share is $174,745.29.

The lawsuit resolved allegations that MIE violated provisions of the Health Insurance Portability and Accountability Act (“HIPAA”) as well as state claims including Unfair and Deceptive Practice laws, Notice of Data Breach statutes, and state Personal Information Protection Acts.

Between May 7, 2015, and May 26, 2015, hackers infiltrated WebChart, a web application run by MIE. The hackers stole the electronic Protected Health Information (“ePHI”) of more than 3.9 million individuals – including individual names, telephone numbers, mailing addresses, usernames, hashed passwords, security questions and answers, spousal information (name and potentially dates of birth), email addresses, dates of birth, Social Security numbers, lab results, health insurance policy information, diagnosis, disability codes, doctors’ names, medical conditions, and children’s names and birth statistics.

“Hoosier consumers trust us to look out for their interests,” Hill said. “Once again, we have acted on their behalf to pursue the appropriate penalties and remedies available under the law. We hope our proactive measures serve to motivate all companies doing business in Indiana to exercise the highest possible ethics and the utmost diligence in making sure their systems are safe and secure.”

Hill added that MIE has cooperated with his office from the very beginning of the investigation into the hacking incident.

“To their credit, MIE’s management has taken this entire issue seriously,” Hill said. “All along, they have expressed concern for those whose data was compromised. Even as we pursued the appropriate actions to protect consumers, we also appreciated MIE’s willingness to work with us.”