A Fort-Wayne based electronic health records company has agreed to pay $900,000 to settle an Indiana-led multistate lawsuit filed after a data breach compromised the personal health information of nearly 4 million people.
Indiana’s share of the consent judgment, entered Tuesday in Indiana, et al. v. Medical Informatics Engineering, Inc., et al., 3:18-cv-969, is $174,745.29, Attorney General Curtis Hill announced Wednesday.
Indiana and 15 other states sued Medical Informatics Engineering, Inc. and its subsidiary NoMoreClipboard LLC
The claims brought by Indiana include allegations of deceptive acts in violation of Indiana Code section 24-5-0.5-3 and failure to implement reasonable procedures to protect personal information in violation of I.C. 24-4.9-3-3.5, in addition to the HIPAA violations.
in December 2018 after a May 2015 cyberattack compromised the electronic Protected Health Information, or ePHI, of some 3.9 million people. The complaint, amended May 23, alleged violations of the Health Insurance Portability and Accountability Act, or HIPAA, and related state laws.
MIE and NoMoreClipboard both operate out of Fort Wayne and provide “electronic health services to physicians and medical facilities nationwide.” The amended complaint alleges that “(b)etween May 7, 2015 and May 26, 2015, hackers infiltrated and accessed the computer systems of Defendants.”
According to the complaint, MIE and NoMoreClipboard had deficient security frameworks, including generic accounts that could be accessed by multiple people using the shared passwords “tester” and “testing.” These generic accounts were identified as being high-risk during a security test conducted earlier in 2015.
Because of the security shortcomings, personal information including names, addresses, Social Security numbers and diagnoses, among other information, was accessed.
The consent judgment does not require MIE or NoMoreClipboard to admit any of the alleged facts or liability, but it does impose several injunctive provisions designed to increase the companies’ cybersecurity.
Among those requirements, the defendants must ensure their generic accounts do not have administrative privileges. Additionally, the Fort Wayne companies must implement multi-factor authentication to access their portals and conduct regular cybersecurity training.
The consent judgment also requires MIE and NoMoreClipboard to hire a third-party professional to conduct a risk analysis and compile a formal security report. The professional, who must be certified in information privacy, must conduct an analysis within 90 days of the May 28 judgment, then annually for five years.
In announcing the consent judgment, Hill’s office praised MIE for cooperating with the states’ investigations and for their “concern for those whose data was compromised.”
“Hoosier consumers trust us to look out for their interests,” Hill said in a statement. “Once again, we have acted on their behalf to pursue the appropriate penalties and remedies available under law. We hope our proactive measures serve to motivate all companies doing business in Indiana to exercise the highest possible ethics and the utmost diligence in making sure their systems are safe and secure.”
In a news release, MIE said it has also reached a $100,000 settlement with the U.S. Department of Health and Human Services Office for Civil Rights.
"Our organization has been open and transparent about this attack since we discovered it, and we notified law enforcement authorities within hours to share information on the perpetrators of this security incident," MIE founder Doug Horner said in a statement. "We provided notice to those affected following the attack, and also paid for two years of credit monitoring protection. Working with the OCR, the multi-state AG group, and the plaintiffs underscores our commitment to working with regulators to help safeguard sensitive patient information."
In addition to Indiana, the states suing MIE and NoMoreClipboard included Arizona, Arkansas, Connecticut, Florida, Iowa, Kansas, Kentucky, Louisiana, Michigan, Minnesota, Nebraska, North Carolina, Tennessee, West Virginia and Wisconsin.