Arizona sues over medical company’s data breach
Arizona is part of a multi-state federal lawsuit filed against an Indiana medical company over a 2015 data breach, state Attorney General Mark Brnovich announced Monday.
Arizonans were among those affected when hackers infiltrated WebChart, a web application operated by Indianabased Medical Informatics Engineering Inc. and NoMoreClipboard (collectively known as MIE), officials with Brnovich’s office confirmed.
The data breach occurred between May 7, 2015, and May 26, 2015, the lawsuit says. A total of 3.9 million individuals were affected. Some were Arizonans, but a spokeswoman for Brnovich said her office did not have an estimate of how many.
The lawsuit says the hackers stole electronically protected health information, including names, phone numbers, mailing addresses, usernames, passwords, security questions and answers, spousal information (name and potentially date of birth), email addresses, dates of birth, Social Security numbers, lab results, health insurance policy information, diagnoses, disability codes, doctors’ names, medical conditions, and children’s names and birth statistics.
Brnovich in a written statement said that he has joined attorneys general from 11 other states in filing the legal action against MIE in U.S. District Court for the Northern District of Indiana. The attorneys general say that MIE is liable because it failed to implement “basic industry-accepted data security measures to protect individual’s health information from unauthorized access.”
The legal action marks the first time states attorneys general have joined together to pursue a multi-state data breach in federal court related to the Health Insurance Portability and Accountability Act, Brnovich’s office said.
MIE could not be reached for comment late Monday, but acknowledged the data breach in 2015, classifying it as a “cyber attack” that affected personal and protected health information in the electronic health records of “certain clients.”
“We take the security of health information very seriously and understand that such incidents cause real concern,” the company said in a 2015 statement. “We apologize sincerely and thank our customers for their continued loyalty and patience as we work through this challenge”
The multi-state lawsuit alleges the company violated provisions of HIPAA as well as state claims including Unfair and Deceptive Practice laws, Notice of Data Breach statutes and state Personal Information Protection Acts.
The complaint says MIE failed to implement and maintain an active security monitoring and alert system to detect unusual activity such as data exfiltration and remote access by unfamiliar or foreign IP addresses.