An Indiana court will serve as the venue for the first-ever multistate data breach lawsuit, as the attorneys general of twelve US states join forces against a healthcare provider and its subsidiary.
The lawsuit alleges that Fort Wayne-based Medical Informatics Engineering and its subsidiary NoMoreClipboard “failed to take adequate and reasonable measures to ensure their computer systems were protected,” resulting in a 2015 breach that gave hackers access to the personal healthcare information of 3.9 million US citizens. The stolen information included not only identifying details, such as names and Social Security numbers, but also healthcare information, including diagnoses and lab results.
Patients whose data was stolen in the hack had visited 11 different healthcare providers and 44 different radiology clinics, all of whom shared one common feature: they used the WebChart app offered by Medical Informatics Engineering and NoMoreClipboard. Most of the affected patients lived in Indiana, but several others were residents of different states.
In response to the hack, the attorneys general from Arizona, Arkansas, Florida, Iowa, Indiana, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina and Wisconsin have jointly filed a cross-state lawsuit alleging multiple violations of the Health Insurance Portability and Accountability Act (HIPAA).
At issue is the defendant’s WebChart app, which is designed to collect and manage electronic health record (EHR) information. The app allows medical providers to input information via computer, which is then managed by the defendants’ servers.
The lawsuit claims that the defendants failed to implement “basic industry-accepted data security measures,” leading to the breach.
For example, the company used general accounts with easily-guessed default usernames and passwords. Although these “tester” accounts didn’t have privileged access to the overall system, they could be, and were, used to launch an SQL injection attack against the server beginning around May 7, 2015. This attack in turn provided attackers with valuable information about the system’s overall structure and vulnerabilities, allowing them to penetrate further and eventually obtain patient data.
Digital Defense, a company specializing in network security solutions, allegedly tested the software in 2014 and again in 2015. Both times, Digital Defense reported “high risk” in the way the system was designed, but Medical Informatics Engineering and its subsidiary are alleged to have continued using the same setup despite Digital Defense’s warnings.
According to the complaint, attackers were able to access and steal data related to millions of patients by exploiting these “high risk” vulnerabilities. On May 25, 2015, attackers are said to have inserted malware in the system, extracting so many records from the Medical Informatics Engineering database that the system bogged down under the load and alerted system administrators. The malware was removed on May 26, but hackers were able to continue stealing information through previously-exploited means until at least May 29.
The lawsuit also includes allegations that the defendants breached several state laws, including acts related to unfair and deceptive practices, notices of data breach, and personal information protection acts. It asks the court to impose civil penalties on the defendants, based on its allegations.
First of Its Kind
Lawsuits that address data breaches are not uncommon. Companies like Facebook, Equifax and Marriott have made headlines. Many lawsuits are even filed as class actions, which means that they encompass alleged harms that occur in multiple states and to thousands or even millions of users.
However, the lawsuit against Medical informatics Engineering and NoMoreClipboard is structured a bit differently. The plaintiffs are neither individual patients nor a class of patients harmed by the alleged actions of the defendants. Rather, the plaintiffs are the twelve states whose attorneys general jointly filed the complaint in Indiana court.
The lawsuit also alleges that the defendants violated not only various state privacy laws, but also a federal law, the Health Insurance Portability and Accountability Act (HIPAA). Enacted in 1996 to safeguard medical information, HIPAA has come into play in the digital era to address healthcare data breaches.
HIPAA defines certain information as “protected health information” (PHI), and it requires covered entities to safeguard this information in particular ways. It also requires covered entities to notify individuals in writing when a PHI breach occurs.
Not all states allow patients whose PHI is breached to bring a private right of action regarding the breach. In states that do, many of these lawsuits fail when the individual who files a claim cannot prove he or she was actually injured by the breach. By pursuing legislation at the state level, the attorneys general named in the complaint can more directly address HIPAA violations and the alleged misconduct that may have caused them.