Healthcare Information Security

HIPAA and Compliance News

12 States Sue Business Associate for 2015 Health Data Breach

More than 3.9 million patient records across the US were breached by EHR vendor Medical Informatics Engineering in 2015, leading to this first multi-state HIPAA-related data breach lawsuit.

healthcare data breach lawsuit

By Jessica Davis

- A dozen states have filed a Federal lawsuit against Indiana-based Medical Informatics Engineering (MIE) and subsidiary NoMoreClipboard, over a 2015 hack that breached the data of more than 3.9 million patients nationwide.

The Attorneys General from Indiana, Arizona, Minnesota, Arkansas, Florida, Kansas, Iowa, Louisiana, Kentucky, Wisconsin, Nebraska, and North Carolina have filed a joint lawsuit against MIE, the first multi-state HIPAA-related healthcare data breach lawsuit.

They all claim the electronic healthcare record vendor violated portions of HIPAA and other state regulations, such as Unfair and Deceptive Practice laws, Personal Information Protection Acts and Notice of Breach statutes.

The suit stems from a 2015 breach notification from MIE. On May 7, hackers breached WebChart, an MIE web application, which continued for more than three weeks until officials finally discovered “suspicious activity” on one server. In that time they stole the patient data of nearly 4 million individuals.

Patients who received radiology care at any of MIE’s 44 locations were included in the breach. The data included highly sensitive data including Social Security numbers, lab results, demographic data, medical conditions, children’s names, disability codes, health insurance policy data and more.

MIE provided free credit monitoring and identity protection services to all patients involved in the breach. The Indiana Attorney General at the time urged all state residents to freeze their credit.

 “In fostering a security framework that allowed such an incident to occur, defendants failed to take adequate and reasonable measures to ensure their computer systems were protected, failed to take reasonably available steps to prevent the breaches, failed to disclose material facts regarding the inadequacy of their computer systems and security procedures,” among a host of other reasons.

The states argue that MIE failed to implement basic, industry-accepted, security measures to protect electronic patient data from unauthorized access. And MIE lacked security safeguards or controls to prevent the exploitation of system flaws.

Further, the sensitive data and ePHI was not encrypted, contrary to its privacy policy, according to the suit. And MIE’s response to the breach was both inadequate and ineffective.

The states are asking the judge to provide victims with injunctive relief, civil penalties and restitution, along with any other relief the court finds acceptable

“Patients expect health companies to protect the privacy of their electronic health records. This company did not do so,” Minnesota Attorney General Lori Swanson said in a statement.

“We make it our standard practice to pursue all penalties and remedies available under the law on behalf of our citizens, Indiana Attorney General Curtis Hill said in a statement. “We hope our proactive measures serve to motivate all companies doing business in Indiana to exercise the highest ethics and utmost diligence.”


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks

Continue to site...