State Attorneys General Jointly Sue Over Data Breach, Alleging HIPAA Violations
On December 4, 2018, attorneys general from twelve states (Arizona, Arkansas, Florida, Indiana, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina, and Washington) jointly filed a lawsuit in the U.S. District Court for the Northern District of Indiana against Medical Informatics Engineering, Inc. (“MIE”) and its wholly-owned subsidiary NoMoreClipboard, LLC (“NMC”), relating to a May 2015 data breach.
MIE and NMC offer a web-based electronic health record called “WebChart” and a portal for patients and healthcare providers to access electronic health records. From May 7, 2015 and May 26, 2015, unauthorized individuals hacked “the inadequately protected computer systems” of MIE and NMC, resulting in the theft of electronic Protected Health Information (“ePHI”) of 3.9 million individuals.
The complaint alleges a number of flaws in the information security system and procedures in place at MIE and NMC during the 2015 hack. For example, the complaint states that the companies used generic accounts with the usernames “tester” and “testing” which could be accessed using the passwords “tester” and “testing,” respectively. Although the hackers could not obtain ePHI directly though these generic accounts, access to these accounts allowed the hackers to eventually infiltrate accounts that had direct access to ePHI. Furthermore, the complaint mentions the length of the hack—nearly three weeks—as evidence that the companies “failed to implement and maintain an active security monitoring and alert system” to identify such activities. In addition, despite specifically listing encryption as a method of protecting patient information in the companies’ privacy policies, such information (including ePHI), was not encrypted within MIE’s computer systems, thus allowing the hackers to access the ePHI once they were able to access the system.
This lawsuit marks the first instance of state attorneys general banding together to jointly file a lawsuit over alleged violations of the federal Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”) since being granted such authority in 2009 pursuant to the Health Information Technology for Clinical and Economic Health (or “HITECH”) Act. This lawsuit signals a new line of enforcement of HIPAA—joint actions by state attorneys general—in addition to traditional enforcement by the U.S. Health and Human Services’ Office for Civil Rights.