Attorneys General from twelve US states, including Indiana, Arizona Wisconsin and North Carolina have joined forces to file a lawsuit against a medical software company. This is the first ever multi-state data breach lawsuit that alleges violations of the Health Insurance Portability and Accountability Act (HIPAA).
The suit claims that the software provider, Medical Informatics Engineering Inc., did not implement fundamental data security measures to protect personal health information. The breach, which occurred in 2015, exposed the sensitive personal information of almost 4 million individuals. The data included names, phone numbers, postal addresses, user names, passwords, spousal information, email addresses, dates of birth, Social Security numbers, lab results, health insurance policy information, diagnoses and medical conditions.
According to the complainants, the companies stated that they had implemented and maintain appropriate safeguards to protect the personal information of patients. In reality they “did not have appropriate security safeguards or controls in place to prevent exploitation of vulnerabilities within their system.”