Arizona Attorney General Mark Brnovich recently announced a settlement with healthcare software provider Medical Informatics Engineering Inc. (“MIE”) and its wholly owned subsidiary NoMoreClipboard, LLC. The settlement resolves a multistate litigation arising out of a May 2015 data breach in which hackers infiltrated WebChart, a web application run by MIE, and stole the electronic Protected Health Information (“ePHI”) of over 3.9 million individuals. Arizona and 15 other states (the “Multistate AGs”) filed the suit in December 2018, asserting claims under the federal Health Insurance Portability and Accountability (“HIPAA”) as well as various applicable state data protection laws. Notably, the lawsuit was the first-ever multistate litigation alleging claims under HIPAA.

The stolen ePHI included names, telephone numbers, mailing addresses, usernames, hashed passwords, security questions and answers, spousal information, email addresses, dates of birth, Social Security numbers, lab results, health insurance policy information, diagnoses, disability codes, doctors’ names, medical conditions and children’s names and birth statistics.

The 16 states alleged that MIE:

  • failed to implement basic industry-accepted data security measures;
  • did not have appropriate security safeguards or controls in place to prevent exploitations of vulnerabilities within its system;
  • had an inadequate and ineffective response to the breach that violated various state breach notification laws; and
  • failed to encrypt the sensitive ePHI.

The settlement requires MIE to pay $900,000 to the plaintiff states. The terms of the settlement also include an injunction requiring MIE to implement extensive data security improvements. Highlights of the injunction include requirements that MIE:

  • implement and maintain an information security program that contains administrative, technical and physical safeguards appropriate to (1) the size and complexity of MIE’s operations, (2) the nature and scope of MIE’s activities, and (3) the sensitivity of the ePHI MIE maintains;
  • ensure that no generic account on its information system  has administrative privileges;
  • require multi-factor authentication to access the WebChart portal that allows access to electronic health records;
  • annually train relevant employees regarding their information privacy and security policies; and
  • annually, for a period of five years, engage an independent third-party professional to conduct a current, comprehensive and thorough risk analysis of security risks to be reviewed by the Indiana Attorney General and shared with the 15 other states that were parties to the litigation.

The $900,000 settlement will be split among the states and be used to cover the costs of the investigation and litigation. The remaining money will be spread among various consumer protection, privacy enforcement and consumer education funds across the 16 states.

The case was filed in the U.S. District Court for the Northern District of Indiana, where MIE is headquartered. The 16 plaintiff states were Arizona, Arkansas, Connecticut, Florida, Indiana, Iowa, Kansas, Kentucky, Louisiana, Michigan, Minnesota, Nebraska, North Carolina, Tennessee, West Virginia and Wisconsin. There is a separate consumer class-action lawsuit pending in the same court that seeks direct relief for affected consumers.