December 5, 2018

First HIPAA lawsuit filed by multiple states

The attorneys general of twelve states have filed a civil suit in the US District Court for the Northern District of Indiana against Medical Informatics Engineering Inc. and its subsidiary, NoMoreClipboard, LLC, for damages arising out of a  May 2015 data breach.  The complaint is brought by Indiana, along with Arizona, Arkansas, Florida, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina, and Wisconsin, and alleges that the defendants failed to protect the electronic Protected Health Information (“ePHI”) of 3.9 million individuals whose personal and health information was obtained by hackers.  According to the complaint, the defendants failed to take adequate and reasonable measures to protect their computer systems and prevent breaches, failed to disclose material facts regarding the inadequacy of their security systems, and failed to provide timely and adequate notice of the incident.  The complaint is brought pursuant to Department of Health and Human Services regulations, 45 C.F.R. § 160 et seq.; the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, 42 U.S.C. §1302(a) (“HIPAA”); and state medical privacy laws.  The AGs seek unspecified monetary compensation, in addition to injunctive relief imposing remedial measures including improved security policies, procedures, education, and training; implementation of multi-factor authentication; and the engagement of a third party to conduct a risk analysis and produce a security report.

Complaint | Breach notification (MIE) | Breach FAQs (MIE) | Breach notification (NMC) | Breach FAQs (NMC)