Twelve states sue business associate over HIPAA breach that affected millions
Twelve state attorneys general filed a federal lawsuit last month against Medical Informatics Engineering Inc. (MIE), in Fort Wayne, Indiana, for failing to secure its computer systems, which resulted in a HIPAA data breach that compromised the data of more than 3.9 million people, the Journal Gazette reports.
MIE is a third-party provider, which is a business associate under HIPAA, that licenses WebChart, a web-based electronic health record application to providers.
The incident referred to in the lawsuit occurred between May 7 and May 26, 2015, when a cybersecurity breach compromised WebChart. The lawsuit alleges that MIE was aware of security issues with the application and failed to implement basic industry-standard security protections. Hackers were able to access the system through a tester account with the username and password “testing,” which did not require a unique user identification for remote access. In addition, the complaint alleges that MIE did not encrypt protected health information (PHI) within its own computer systems.
PHI and other patient data stolen in the breach included:
- Dates of birth
- Email addresses
- Health information
- Health insurance policy information
- Mailing addresses
- Names
- Security questions and answers
- Social Security numbers
- Spousal information
- Telephone numbers
- Usernames and passwords
The complaint was filed in the U.S. District Court for the Northern District of Indiana. Other states involved in the litigation are Arizona, Arkansas, Florida, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina, and Wisconsin. This is the first-ever multistate data breach lawsuit.