TOPEKA – (May 30, 2019) – An electronic health records company will change its data security practices to settle a lawsuit over a data breach that compromised the personal information of more than 3.9 million people including more than 20,000 Kansans, Attorney General Derek Schmidt announced today.
The settlement resolves allegations that Indiana-based Medical Informatics Engineering, Inc., violated provisions of the federal Health Insurance Portability and Accountability Act (“HIPAA”) and the Kansas Consumer Protection Act by failing to properly safeguard Kansans’ personal information. Schmidt and attorneys general from 15 other states filed the lawsuit in December.
Between May 7, 2015, and May 26, 2015, Medical Informatics Engineering and its subsidiary NoMoreClipboard LLC engaged in conduct that allowed hackers to infiltrate WebChart, a web application run by the two companies. The hackers stole the electronic Protected Health Information of more than 3.9 million individuals, including:
- Individual names, telephone numbers, mailing addresses and email addresses.
- Usernames, passwords, security questions and answers.
- Spousal information and children’s names and birth statistics.
- Dates of birth and Social Security numbers.
- Lab results, diagnosis and medical conditions.
- Health insurance policy information.
- Disability codes.
- Doctors’ names.
“We take seriously our responsibility to ensure companies that hold Kansans' personal information fulfill their legal duties to protect it,” Schmidt said. “Today’s settlement reflects our commitment to vigorously pursue those who put Kansans' information at risk.”
The settlement requires Medical Informatics Engineering to change its practices with regard to data security by implementing and maintaining additional security measures to prevent and detect attacks that may compromise consumers’ personal information, as well as policies and procedures to respond to security incidents. The company also has been ordered to make payments totaling $900,000 to the 16 states, including nearly $32,000 to Kansas.
The case was the nation’s first-ever multistate lawsuit involving a HIPAA-related data breach.
A copy of the consent judgment is available at https://bit.ly/2VS8nPa.