In coordination with 16 other state attorneys general, West Virginia AG Patrick Morrisey has reached a settlement concerning a data breach involving health records company Medical Informatics Engineering Inc. (MIE)
The breach, which occurred in May 2015, exposed the medical records of more than 3.9 million individuals.
Collectively, the attorneys general allege that hackers broke into an MIE web application known as WebChart, and stole electronic health information.
According to Huffington News, the case is regarded as the nation’s first multi-state data breach lawsuit involving the Health Insurance Portability and Accountability Act (HIPAA).
In a statement, Attorney General Morrisey said:
Businesses must take adequate and reasonable measures to ensure the protection of their computer systems, …Any business that fails to safeguard patients’ personal health information can cause significant harm to consumers across our state and nation.
The settlement, which was approved by a federal judge in May, requires the defendants to pay $900,000 to member states, and take additional steps to protect personal information. This must include hiring a third party firm to analyze and identify potential security risks. West Virginia’s proportional share of the payout is $21,187.
According to the AG’s office, the lawsuit resolves allegations that MIE violated provisions of HIPAA, as well as state claims including unfair and deceptive practice laws.
West Virginia joined the Indiana-led lawsuit along with Arizona, Arkansas, Connecticut, Florida, Iowa, Kansas, Kentucky, Louisiana, Michigan, Minnesota, Nebraska, North Carolina, Tennessee and Wisconsin.
You can read the court’s consent decree here.