AG Brnovich Announces Settlement in First-Ever Multistate HIPAA-Related Data Breach Lawsuit

PHOENIX -- Attorney General Mark Brnovich announced a settlement with healthcare software providers Medical Informatics Engineering Inc. and NoMoreClipboard, LLC (collectively, “MIE”).  The settlement resolves a bipartisan lawsuit filed by Arizona and 15 other states against MIE relating to a 2015 data breach, which was the first such multistate lawsuit involving claims under the federal Health Insurance Portability and Accountability Act (“HIPAA”). As a result of the settlement, MIE will pay $900,000 to the states, and it has agreed to a comprehensive injunction requiring the implementation of significant data-security improvements.

“Millions of consumers have their personal information compromised every year," said Attorney General Brnovich. "If a business or a government agency can't meet their obligations to prevent a data breach or to adequately protect consumers after a breach, they need to be held accountable. Attorneys general can work together to use all available laws to ensure that companies are taking the protection of patient electronic data seriously.”

The data breach underlying the lawsuit and settlement occurred between May 7, 2015, and May 26, 2015, when hackers infiltrated WebChart, a web application run by MIE. The hackers stole the electronic Protected Health Information (“ePHI”) of more than 3.9 million individuals, including roughly 26,000 Arizonans. Stolen ePHI included names, telephone numbers, mailing addresses, usernames, hashed passwords, security questions and answers, spousal information (name and potentially date of birth), email addresses, dates of birth, Social Security numbers, lab results, health insurance policy information, diagnoses, disability codes, doctors’ names, medical conditions, and children’s names and birth statistics.

Along with his counterparts in 11 other states (and later joined by four additional states), Attorney General Brnovich filed suit against MIE in December 2018, asserting claims under HIPAA and applicable state laws. Among other things, the lawsuit alleged that MIE had failed to implement basic industry-accepted data-security measures to protect ePHI from unauthorized access; did not have appropriate security safeguards or controls in place to prevent exploitation of vulnerabilities within its system; had an inadequate and ineffective response to the breach; and failed to encrypt the sensitive personal information and ePHI within its computer systems, despite representations to the contrary in its privacy policy.

The case was filed in the U.S. District Court for the Northern District of Indiana, where MIE is headquartered. There is also a separate consumer class-action lawsuit in the same court that seeks direct relief for consumers.

Arizona was joined in its case and settlement by the states of Arkansas, Connecticut, Florida, Indiana, Iowa, Kansas, Kentucky, Louisiana, Michigan, Minnesota, Nebraska, North Carolina, Tennessee, West Virginia, and Wisconsin.

For Arizona, the matter was handled by Assistant Attorney General John Gray.

A copy of the signed Consent Judgment.