Electronic Health Records Company To Change Security Procedures Following Data Breach

Nearly 4 million people were affected when a national electronic health records company violated HIPPA laws that allowed your private information- like your address, social security number, and passwords- to be hacked in 2015. Now states are fighting back, and Medical Informatics Engineering has to change the way they secure your data, plus pay $900,000 in fines.

The settlement resolves allegations that Indiana-based Medical Informatics Engineering, Inc., violated provisions of the federal Health Insurance Portability and Accountability Act (“HIPAA”) and the Kansas Consumer Protection Act by failing to properly safeguard Kansans’ personal information. Kansas Attorney General Derek Schmidt and attorneys general from 15 other states filed the lawsuit in December.

Between May 7, 2015, and May 26, 2015, Medical Informatics Engineering and its subsidiary NoMoreClipboard LLC engaged in conduct that allowed hackers to infiltrate WebChart, a web application run by the two companies. The hackers stole the electronic Protected Health Information of more than 3.9 million individuals, including:

• Individual names, telephone numbers, mailing addresses and email addresses.
• Usernames, passwords, security questions and answers.
• Spousal information and children’s names and birth statistics.
• Dates of birth and Social Security numbers.
• Lab results, diagnosis and medical conditions.
• Health insurance policy information.
• Disability codes.
• Doctors’ names.

“We take seriously our responsibility to ensure companies that hold Kansans’ personal information fulfill their legal duties to protect it,” Schmidt said. “Today’s settlement reflects our commitment to vigorously pursue those who put Kansans’ information at risk.”

The settlement requires Medical Informatics Engineering to change its practices with regard to data security by implementing and maintaining additional security measures to prevent and detect attacks that may compromise consumers’ personal information, as well as policies and procedures to respond to security incidents. The company also has been ordered to make payments totaling $900,000 to the 16 states, including nearly $32,000 to Kansas.

The case was the nation’s first-ever multistate lawsuit involving a HIPAA-related data breach.

A copy of the consent judgment is available at https://bit.ly/2VS8nPa.