Indiana medical company hit with first multistate HIPAA lawsuit: 7 things to know

Julie Spitzer -

Attorneys general from 12 states have united to sue an Indiana medical company over a 2015 data breach, according to Inside INdiana Business.

Here are seven things to know:

1. Hackers gained access to a web application called WebChart operated by Medical Informatics Engineering and its subsidiary NoMoreClipboard — collectively known as MIE — between  May 7, 2015, and May 26, 2015. The data of about 3.9 million people was compromised.

2. According to azcentral, the lawsuit alleges the hackers stole electronic protected health information, including: names, phone numbers, mailing addresses, user names, passwords, security questions and answers, spousal information (name and potentially date of birth), email addresses, dates of birth, Social Security numbers, lab results, health insurance policy information, diagnoses, disability codes, physicians' names, medical conditions and children's names and birth statistics.

3. The lawsuit claims MIE is liable because it did not properly establish "basic industry-accepted data security measures to protect individual's health information from unauthorized access."

4. The attorneys general have brought the suit under HIPAA as well as several state laws, including unfair and deceptive practice laws, notice of data breach statutes and state personal information protection acts.

5. Azcentral could not reach MIE at the time its report was published Dec. 3, but it reported that the company acknowledged the breach in 2015. At the time, MIE called it a "cyberattack" and said some personal and protected health information stored in "certain clients'" EHRs had been affected.

6. The 12 states in the lawsuit are Arizona, Arkansas, Florida, Iowa, Indiana, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina and Wisconsin.

7. This action marks the first time states have joined together to file a HIPAA-related lawsuit.

Copyright © 2024 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.