On May 29, medical software company Medical Informatics Engineering, Inc. and its subsidiary NoMoreClipboard, LLC settled a first-of-its-kind lawsuit brought by several state attorneys general alleging violations of the Health Insurance Portability and Accountability Act following a data breach.

The multi-state lawsuit, filed in the U.S. District Court for the Northern District of Indiana, alleged that the defendants fell short of their obligations under HIPAA and various state laws to maintain the security of private individual health information contained within its systems.

In May 2015, hackers gained access to a medical web application operated by the defendants, resulting in the theft of the protected electronic health information of more than 3.9 million individuals, including Social Security numbers, names of relatives, and clinical health records. In their complaint, the attorneys general alleged that the defendants failed to properly safeguard the confidential information stored within their systems and lacked adequate procedures to prevent and swiftly respond to a data breach. For example, the complaint contended the data breach was avoidable because the defendants failed to encrypt the sensitive health data, had no system in place to alert it to hacking attempts, and even knew about its information security weaknesses beforehand but failed to rectify them.

The multi-state settlement, in the form of a consent judgment, includes a $900,000 civil penalty as well as injunctive measures requiring the defendants to assess and improve their information security protocols. The states involved in the settlement were Florida, North Carolina, Arizona, Arkansas, Wisconsin, Kansas, Kentucky, Louisiana, Michigan, Nebraska, Minnesota, West Virginia, Iowa, Indiana, Tennessee, and Connecticut.

Medical Informatics Engineering also recently reached a separate settlement with the U.S. Department of Health and Human Services Office for Civil Rights arising from the same incident.