May 28, 2019

HIPAA settlement involving 16 states

A consent judgment has been entered by the United States District Court for the Northern District of Indiana in a suit brought by16 states* against two associated electronic health record-keeping and patient portal providers and their affiliates.  According to the complaint, unauthorized persons infiltrated the computer systems of the defendants, Medical Informatics Engineering, Inc., and NoMoreClipboard, LLC and their affiliates during a 19-day period in May 2015, and stole the personal and protected health information of 3.9 million people, including:  names, telephone numbers, mailing addresses, usernames, passwords, security questions and answers, name and birthdates of spouses and children, email addresses, birthdates, social security numbers, lab results, medical conditions, diagnoses, disability codes, physician information, and health insurance policy information.  The plaintiffs allege that by failing to take adequate measures to protect this data, and by fostering a security framework that allowed the hack to occur, the defendants are liable under the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, 110 Stat. 1936, as amended by the Health Information Technology for Economic and Clinical Health Act, Pub. L. No. 111-5, 123 Stat. 226 (“HIPAA”), and various state data breach, deceptive practices and privacy laws.

The consent judgment requires that the defendants comply with HIPAA and the states’ privacy laws, data breach notification requirements and deceptive trade practices laws, and refrain from misleading consumers in connection with the safeguarding of protected health information.  The judgment also obligates the defendants to implement and maintain appropriate written information security programs, including multi-factor authentication protocols for users and employees working remotely, and to implement a security incident and event monitoring solution to detect and respond to malicious attacks.  Furthermore, the judgment requires the defendants to engage an independent third-party professional to conduct a comprehensive risk analysis of security risks and vulnerabilities, to train employees, to designate a privacy officer to ensure compliance with the judgment, and to pay $900,000 to the plaintiff states in installments over the next three years.

*The states are:  Arizona, Arkansas, Connecticut, Florida, Indiana, Iowa, Kansas, Kentucky, Louisiana, Michigan, Minnesota, Nebraska, North Carolina, Tennessee, West Virginia, and Wisconsin.

Consent Judgment and Order | Complaint