First Multistate HIPAA Data Breach Lawsuit May Signal Increased State Interest in Data Security Enforcement

On December 3, 2018, twelve attorneys general (“AGs”) jointly filed a data breach lawsuit against Medical Informatics Engineering and its subsidiary, NoMoreClipboard LLC (collectively “the Company”), an electronic health records company, in federal district court in Indiana.  See Indiana v. Med. Informatics Eng’g, Inc., No. 3:18-cv-00969 (N.D. Ind. filed Dec. 3, 2018).  The suit—led by Indiana Attorney General Curtis Hill—is joined by AGs from Arizona, Arkansas, Florida, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina and Wisconsin.  While state AGs have previously exercised their civil enforcement authorities under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), this is the first multi-state data breach lawsuit alleging HIPAA violations in federal court and may signal increased interest on the part of state officials in exercising their data protection authorities to address cybersecurity incidents.

The lawsuit concerns a May 2015 data breach in which hackers allegedly stole health information relating to 3.9 million individuals from the Company’s systems.  According to the complaint, over a period of 19 days, hackers were able to infiltrate the Company’s computer systems.  The stolen information allegedly included names and identifying information, hashed passwords, security questions and answers, family information, Social Security numbers, lab results, health insurance information, doctor’s names, and medical conditions, among other things.

The AGs have brought their claims under HIPAA and a variety of state statutes, i.e., state data breach and unfair or deceptive trade acts and practices (or “UDAP”) laws.  They argue that the Company failed to protect its computer systems adequately, take steps to prevent the breach, disclose material facts to consumers, and provide timely and adequate notice, among other things.  The complaint states that the Company failed to implement basic industry-accepted data security measures to protect PHI from unauthorized access, and did not have adequate controls in place. Specifically, the AGs allege that the Company:

  • set up a “tester” account (through which the attackers gained access) that had easily-guessed passwords and did not require unique user identification and password for remote access;
  • had identified vulnerabilities that enabled the attack through third-party penetration testing but had not remediated the vulnerabilities by the time of the attack;
  • failed to implement an active security monitoring and alert system (according to the complaint, “[a]n active security operations system should have identified remote system access by an unfamiliar IP address and alerted a system administrator to investigate”); and
  • represented in its privacy policy that the Company used encryption and authentication tools to protect information but failed to encrypt the data (at rest) on its computer systems.

The complaint also focuses on what the AGs allege was an “inadequate and ineffective” post-breach response.  While the Company was investigating the attack, according to the complaint, the hackers were able to access over 300,000 patient records, using privileged credentials acquired through the use of SQL queries.  The complaint also states that the Company’s “information security policies were deficient and poorly documented.”  In particular, it alleges that the Company had an incomplete incident response plan.  The Complaint notes that the Company began notifying affected individuals in July, 50 days after the breach was discovered, but did not conclude notifications until December. Relatedly, several of the AGs bring specific claims that the Company violated applicable state data breach notification laws with timing requirements for notification.

In addition to seeking monetary penalties, the AGs seek injunctive relief in the form of a consent decree.  The consent decree would require the Company to: implement a written information security program, not employ generic accounts, require multi-factor authentication, implement a Security Incident and Event Monitoring solution, engage an independent third-party professional to conduct a risk analysis and provide a report to the Indiana Attorney General, and implement a variety of other specific controls.