I've Been Mugged Blog

The Attorney General's Office for the State of Arizona announced last month a major settlement agreement with two healthcare software providers: Medical Informatics Engineering Inc. and its subsidiary, NoMoreClipboard, LLC (hereafter, referred to jointly as "MIE") following a massive data breach at MIE in 2015.  The press release by AG Mike Brnovich stated:

"The settlement resolves a bipartisan lawsuit filed by Arizona and 15 other states against MIE relating to a 2015 data breach, which was the first such multistate lawsuit involving claims under the federal Health Insurance Portability and Accountability Act ("HIPAA"). As a result of the settlement, MIE will pay $900,000 to the states, and it has agreed to a comprehensive injunction requiring the implementation of significant data-security improvements."

The case was filed in the U.S. District Court for the Northern District of Indiana, where MIE is headquartered. States involved in the joint lawsuit and settlement included Arizona, Arkansas, Connecticut, Florida, Indiana, Iowa, Kansas, Kentucky, Louisiana, Michigan, Minnesota, Nebraska, North Carolina, Tennessee, West Virginia, and Wisconsin.

The data breach occurred between May 7, 2015, and May 26, 2015, when hackers broke into WebChart, a web application by MIE and stole:

"... the electronic Protected Health Information ("ePHI") of more than 3.9 million individuals, including roughly 26,000 Arizonans. Stolen ePHI included names, telephone numbers, mailing addresses, usernames, hashed passwords, security questions and answers, spousal information (name and potentially date of birth), email addresses, dates of birth, Social Security numbers, lab results, health insurance policy information, diagnoses, disability codes, doctors’ names, medical conditions, and children’s names and birth statistics."

The consent order and judgment is available here. Indiana’s share was $174,745.29. Indiana AG Curtis Hill said:

"Hoosier consumers trust us to look out for their interests... Once again, we have acted on their behalf to pursue the appropriate penalties and remedies available under the law. We hope our proactive measures serve to motivate all companies doing business in Indiana to exercise the highest possible ethics and the utmost diligence in making sure their systems are safe and secure."