Attorney General Ashley Moody today announced an agreement reached in the nation’s first-ever multistate lawsuit filed in a federal court involving a Health Insurance Portability and Accountability Act data breach. The 16-state agreement comes following a lawsuit filed in December 2018 in federal court in Indiana against Medical Informatics Engineering, Inc., a web-based electronic health records company. The company provides patient portal and personal health records services to healthcare providers that enable patients to access and manage their electronic health records. In 2015, the company allegedly sustained a data breach compromising the data of more than 3.9 million people. The proposed consent judgment, pending court approval, resolves allegations that MIE violated provisions of HIPAA, as well as the Florida Information Protection Act and the Florida Deceptive and Unfair Trade Practices Act.
Attorney General Ashley Moody said, “Consumers have the right to have their most private health details protected. Companies that are entrusted with individual’s medical records and other private information must take serious precautions to keep information secure from hackers.”
In May 2015, the hackers allegedly infiltrated one of MIE’s servers containing names, mailing addresses, usernames, passwords and sensitive health information. The hackers allegedly stole the electronic Protected Health Information of more than 3.9 million people, including more than 112,000 records belonging to Floridians. According to the investigation, the hackers exploited several vulnerabilities at MIE at the time of the data breach, including poor password and security management protocols.
Under the terms of the consent judgment, MIE agreed to implement and maintain:
- An information security program and a Security Incident and Event Monitoring solution to detect and respond to malicious attacks;
- Data loss prevention technology to detect and prevent unauthorized data exfiltration;
- Password policies and procedures requiring the use of strong, complex passwords;
- Multi-factor authentication procedures when remotely accessing its systems that store or permit access to ePHI; and
- Controls on the creation of accounts with access to ePHI.
As part of the agreement, MIE will also pay nearly one million dollars to the states that filed the federal lawsuit. The other states participating in the agreement are Arizona, Arkansas, Connecticut, Indiana, Iowa, Kansas, Kentucky, Louisiana, Michigan, Minnesota, Nebraska, North Carolina, Tennessee, West Virginia and Wisconsin.