A 12-state federal lawsuit has been filed against a Fort Wayne web-based electronic health records company that was hacked in 2015, compromising the data of more than 3.9 million people.
The Indiana Attorney General’s Office announced Monday it had joined a suit against Medical Informatics Engineering and subsidiary NoMoreClipboard, alleging the company violated provisions of the Health Insurance Portability and Accountability Act as well as state claims including Unfair and Deceptive Practice laws, Notice of Data Breach statutes, and state Personal Information Protection Acts.
MIE announced in June 2015 that its main network and its NoMoreClipboard network had been attacked beginning May 7 and was detected May 26. The company said the exposed information included names, addresses, birthdates, Social Security numbers and health records.
All told, the private information of 3.9 million people nationwide was exposed in the hack.
After the attack, MIE offered free credit monitoring and identity protection services to affected individuals, and then-Indiana Attorney General Greg Zoeller urged all state residents to freeze their credit.
More than three years later, states have come together to sue MIE. They are: Indiana, Arizona, Arkansas, Florida, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina and Wisconsin.
It is the first time state attorneys general have joined together to pursue a HIPAA-related data breach case in federal court.
“We will always act to protect Hoosier consumers in cases such as this one,” Indiana Attorney General Hill said. “We make it our standard practice to pursue all penalties and remedies available under the law on behalf of our citizens, and we hope our proactive measures serve to motivate all companies doing business in Indiana to exercise the highest ethics and utmost diligence.”
The suit asks a federal judge to award victims injunctive relief, a financial judgment for restitution and civil penalties, and other relief the court finds just and proper.