PHOENIX -- Attorney General Mark Brnovich announced a settlement with healthcare software providers Medical Informatics Engineering Inc. and NoMoreClipboard, LLC (collectively, “MIE”). The settlement resolves a bipartisan lawsuit filed by Arizona and 15 other states against MIE relating to a 2015 data breach, which was the first such multistate lawsuit involving claims under the federal Health Insurance Portability and Accountability Act (“HIPAA”). As a result of the settlement, MIE will pay $900,000 to the states, and it has agreed to a comprehensive injunction requiring the implementation of significant data-security improvements.
“Millions of consumers have their personal information compromised every year," said Attorney General Brnovich. "If a business or a government agency can't meet their obligations to prevent a data breach or to adequately protect consumers after a breach, they need to be held accountable. Attorneys general can work together to use all available laws to ensure that companies are taking the protection of patient electronic data seriously.”
The data breach underlying the lawsuit and settlement occurred between May 7, 2015, and May 26, 2015, when hackers infiltrated WebChart, a web application run by MIE. The hackers stole the electronic Protected Health Information (“ePHI”) of more than 3.9 million individuals, including roughly 26,000 Arizonans. Stolen ePHI included names, telephone numbers, mailing addresses, usernames, hashed passwords, security questions and answers, spousal information (name and potentially date of birth), email addresses, dates of birth, Social Security numbers, lab results, health insurance policy information, diagnoses, disability codes, doctors’ names, medical conditions, and children’s names and birth statistics.
The case was filed in the U.S. District Court for the Northern District of Indiana, where MIE is headquartered. There is also a separate consumer class-action lawsuit in the same court that seeks direct relief for consumers.
Arizona was joined in its case and settlement by the states of Arkansas, Connecticut, Florida, Indiana, Iowa, Kansas, Kentucky, Louisiana, Michigan, Minnesota, Nebraska, North Carolina, Tennessee, West Virginia, and Wisconsin.
For Arizona, the matter was handled by Assistant Attorney General John Gray.
A copy of the signed Consent Judgment.