Rutledge Announces Judgment for First-Ever HIPAA-Related Data Breach
May 30, 2019
LITTLE ROCK – Arkansas Attorney General Leslie Rutledge today announced that the U.S District Court for the Northern District of Indiana signed the consent judgment negotiated by 16 state attorneys general and Medical Informatics Engineering Inc. The lawsuit, led by Indiana and Arkansas, was first filed in December of 2018 against a web-based electronic health records company based in Fort Wayne, Indiana. The company allegedly sustained a data breach compromising the data of more than 3.9 million people. Arkansas will receive a $112,950 payment due to the defendants’ conduct.
“Arkansans have enough to worry about in their daily lives, but protecting their deeply personal health insurance information should never be a concern,” said Attorney General Rutledge. “Technology is rapidly changing, and protecting users from data breaches must always be a top priority for companies as they expand their reach and platform. Today’s historic multistate action reaffirms our dedication to consumer protection.”
The lawsuit resolved allegations that Medical Informatics Engineering and NoMoreClipboard LLC violated provisions of the Health Insurance Portability and Accountability Act (HIPAA) as well as state claims including unfair and deceptive practice laws, notice of data breach statutes, and state personal information protection acts.
Between May 7, 2015, and May 26, 2015, hackers infiltrated WebChart, a web application run by Medical Informatics Engineering. The hackers stole the electronic protected health information of more than 3.9 million individuals – including individual names, telephone numbers, mailing addresses, usernames, hashed passwords, security questions and answers, spousal information (name and potentially dates of birth), email addresses, dates of birth, Social Security numbers, lab results, health insurance policy information, diagnoses, disability codes, doctors’ names, medical conditions, and children’s names and birth statistics. This case was the nation’s first-ever multistate lawsuit involving a HIPAA-related data breach.