16 States Settle First Multistate HIPPA Lawsuit for Data Breach
By Scott Stewart
The Daily Record
Nebraska joined 15 other states in announcing last Thursday that a consent judgment has been filed in the first multistate HIPPA-related data breach lawsuit.
The case involved Indiana-based Medical Informatics Engineering Inc., which disclosed a hack in 2015 that exposed the electronic health information of more than 3.9 million people.
The lawsuit, led by Indiana, was first filed in December 2018 against the web-based electronics health company, according to a news release by Nebraska Attorney General Doug Peterson.
Following a judge’s approval, the states will receive payment of $900,000. The Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services separately announced a $100,000 payment by Medical Informatics Engineering to settle potential violations of the federal Health Insurance Portability and Accountability Act of 1996.
Medical Information Engine-ering’s WebChart application was hacked in May 2015. Among the information compromised were names, contact information, family details, medical conditions, disability codes, Social Security numbers, lab results and health insurance policy information.
An investigation by OCR found the company did not conduct a comprehensive risk analysis prior to the breach. HIPPA requires assessing risks and vulnerabilities with respect to electronic protected health information.
“Entities entrusted with medical records must be on guard against hackers,” OCR Director Roger Severino said in a news release. “The failure to identify potential risks and vulnerabilities to ePHI (electronic Protected Health Information) opens the door to breaches and violates HIPAA.”
Medical Informatics Engineering agreed to take corrective action to comply with HIPPA in both the OCR settlement and the pending consent judgment.
“Federal and state privacy laws provide a standard that companies must meet when they store or maintain the personal information of consumers,” Peterson said in a release. “Failure to do so will result in outcomes similar to those in this case. I encourage entities to take proactive steps to protect the sensitive personal information of consumers.”