Rutledge Files Complaint Against Health Record Company for HIPAA Violations
December 6, 2018
More than 54,000 Arkansans affected
LITTLE ROCK – Arkansas Attorney General Leslie Rutledge today announced that she, along with 11 other states, has filed a complaint against Medical Informatics Engineering Inc. (MIE) in the U.S. District Court for the Northern District of Indiana. MIE and NoMoreClipboard LLC are web-based health record companies headquartered in Indiana who are accused of failing to protect patient user data.
“Arkansans put their trust in medical professionals across the state, who then trust data companies to protect the personal information of patients,” said Attorney General Rutledge. “Medical Informatics did not provide that security and put the personal information of Arkansans at risk. It is important that data storage companies maintain the highest level of protections against hackers.”
The complaint alleges that MIE failed to implement basic industry-accepted data security measures to protect individual’s health information from unauthorized access, in part, by using generic accounts that could be accessed through the use of a shared password. The company violated provisions of the Health Insurance Portability and Accountability Act (HIPAA) as well as violations of state deceptive trade practices law, notice of data breach statutes and personal information protection acts.
Between May 7, 2015 and May 26, 2015, hackers infiltrated WebChart, a web application run by MIE. The hackers stole the electronic health information of more than 3.9 million individuals, including names, telephone numbers, mailing addresses, usernames, passwords, security questions and answers, spousal information, email addresses, date of birth, social security numbers, lab results, health insurance policy information, diagnosis, disability codes, doctors’ names, medical conditions, and children's names and birth statistics.
The data breach affected 54,356 Arkansans.
This filing marks the first time state attorneys general have joined together to pursue a HIPAA-related data breach case in federal court.
In addition to Arkansas, Arizona, Florida, Indiana, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina and Wisconsin filed the complaint.