Attorney General Mark Brnovich Files First Multistate HIPAA Related Data Breach Lawsuit

PHOENIX -- Attorney General Mark Brnovich announced that he, along with Attorneys General from 11 other states and commonwealths, has filed a Complaint in the U.S. District Court for the Northern District of Indiana against Medical Informatics Engineering, Inc. and NoMoreClipboard, LLC (collectively “MIE”), a web-based electronic health record company headquartered in Fort Wayne, Indiana.

Today’s filing marks the first time state Attorneys General have joined together to pursue a HIPAA-related multistate data breach case in federal court.

The Complaint alleges the company violated provisions of the Health Insurance Portability and Accountability Act (“HIPAA”) as well as state claims including Unfair and Deceptive Practice laws, Notice of Data Breach statutes, and state Personal Information Protection Acts.

According to the Complaint, between May 7, 2015, and May 26, 2015, hackers infiltrated WebChart, a web application run by MIE. The hackers purportedly stole the electronic Protected Health Information (“ePHI”) of more than 3.9 million individuals, including names, telephone numbers, mailing addresses, usernames, hashed passwords, security questions and answers, spousal information (name and potentially date of birth), email addresses, dates of birth, Social Security numbers, lab results, health insurance policy information, diagnoses, disability codes, doctors’ names, medical conditions, and children’s names and birth statistics. 

The Complaint asserts that MIE is liable because, among other things, it failed to implement basic industry-accepted data-security measures to protect ePHI from unauthorized access; did not have appropriate security safeguards or controls in place to prevent exploitation of vulnerabilities within its system; had an inadequate and ineffective response to the breach; and failed to encrypt the sensitive personal information and ePHI within its computer systems, despite representations to the contrary in its privacy policy.